SonicWall has reported a security breach involving unauthorized access to its MySonicWall cloud backup service. Attackers used brute-force techniques to obtain firewall preference and backup files containing full device configurations. Continue reading this Cybersecurity Threat Advisory to learn more about the incident and recommended mitigation steps.
What is the threat?
SonicWall reports a series of brute-force attacks that resulted in unauthorized access to backups stored via the MySonicWall cloud backup feature for SonicWall firewalls. Customers with cloud backups enabled should consider themselves potentially impacted and verify their account and serial numbers in the MySonicWall portal. The attackers successfully authenticated via brute-force to access stored firewall preference and backup files. These preference files are complete snapshots of firewall configurations at the time of export. The vendor also noted that attackers have previously exploited both zero-day and known (n-day) vulnerabilities in SonicWall firewall and Secure Mobile Access appliances earlier this year.
Why is it noteworthy?
A typical SonicWall backup or preference file contains system and device settings, routing and NAT rules, and the firewall rulebase. It also includes enabled security services, VPN configuration and pre-shared keys, and user or group accounts with encrypted credentials. Additionally, these files may store 2FA and TOTP bindings, which can further expose sensitive configurations if compromised. Because some secrets are present, even if encrypted, attackers with access to these files have a significantly easier path to exploiting the firewall.
What is the exposure or risk?
Due to the nature of this exploit, attackers can potentially gain access to data that could be used for:
- VPN compromise: Pre-shared keys and VPN configuration in backups can be used to impersonate legitimate VPN endpoints or rehost VPN connections to intercept traffic.
- Credential reuse and lateral access: Captured encrypted credentials could enable access to other systems after offline cracking or via password reuse.
- Rule tampering and persistence: Attackers who can reach the firewall could import malicious firewall rules, open exfiltration channels, or whitelist attacker infrastructure.
- Targeted follow-on attacks: Preference files give reconnaissance value (network topology, NAT, VPN peers, internal subnets) that speeds lateral movement and payload targeting.
- Risk to confidentiality and operational security: Exfiltrated backups reveal complete firewall posture (rules, VPN tunnels, static routes, user accounts).
What are the recommendations?
Barracuda recommends the following actions to secure your network infrastructure:
- Check the MySonicWall portal to confirm whether your organization has cloud backups enabled and if any of your serial numbers appear on the impacted list.
- Follow SonicWall’s dedicated containment/remediation guide and remediation playbook. Import the sanitized preference files only if provided by SonicWall and follow the vendor’s instructions.
- Immediately rotate all firewall-related credentials and secrets contained in backups. Treat them as potentially exposed even if stored encrypted.
- Ensure SonicWall appliances are at latest firmware and patched.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.helpnetsecurity.com/2025/09/18/sonicwall-attackers-firewall-configuration-backup-files/
- https://www.darkreading.com/cyberattacks-data-breaches/sonicwall-breached-firewall-backup
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.