SonicWall says attackers compromised some firewall configuration backup files

Between attackers exploiting 0-day and n-day vulnerabilities in the company’s firewalls and Secure Mobile Access appliances, SonicWall and its customers have had a tough year.

And, unfortunately for them, the troubles are not over: unknown attackers have managed to brute-force their way into SonicWall’s cloud backup service for firewalls and access backup firewall preference files for “fewer than 5% of our firewall install base,” SonicWall has disclosed on Wednesday.

“We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors.”

A SonicWall backup firewall preferences file contains the complete configuration of the firewall at the time of export:

• System and device settings
• Network configurations
• Routing configurations and rules
• Firewall rules and enabled security services
• VPN configuration, settings and policies
• User and group accounts, credentials, password policies, and more.

“While credentials within the files were encrypted, the [accessed backup firewall preference files] also included information that could make it easier for attackers to potentially exploit the related firewall,” the company noted.

SonicWall has urged customers to log into the MySonicWall portal and check if cloud backups are enabled for the firewalls they are using.

If they haven’t, this incident will not affect them, but if they have, they should follow the containment and remediation guidelines, and this remediation playbook.

The guidelines are extensive, and SonicWall has tried to make the process easier by providing new preferences files for importing into affected firewalls.

These are based on users’ latest preferences file found in cloud storage, but with local user passwords and IPSec VPN keys randomized and the TOTP binding reset (if it was enabled).

“IPSec VPN pre-shared keys will need to be reconfigured manually to restore functionality after importing the preferences. Users with TOTP bindings will have them reset along with their password,” the company warns, and advises customers to import the preferences “during a maintenance window, off-hours, or during times of minimal activity as importing preferences causes an immediate firewall reboot to apply the new configuration.”

Nevertheless, all of this could take a while and, depending on how many firewalls an organization uses, it could be quite a time-consuming endeavor.

UPDATE (September 18, 2025, 02:30 p.m. ET):

“As soon as we discovered the activity, we immediately disabled access to the backup feature, implemented infrastructure and process changes to further secure our systems, and launched a comprehensive review of potentially affected environments. We also enlisted the services of a leading third-party IR and Consulting Firm to validate our investigation and findings,” shared Michael Crean, Senior VP of Managed Security Services at SonicWall.

“Impacted customers and partners have been directly notified with clear instructions to secure their devices. We encourage customers to first review the Knowledge Base (KB) article, which is updated regularly with the latest information and guidance. Our support team is available to assist with applying the guidance. Please note that all of the latest details are published in the Knowledge Base article and will be updated there first.”  

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!