MySonicWall Breach: Firewall Config Backups Exposed — Reset Passwords Now

As of September 18, 2025, SonicWall advises impacted customers to perform a MySonicWall breach password reset and rotate other secrets after threat actors accessed some cloud‑stored firewall configuration backups. SonicWall reports fewer than 5% of firewalls had backup preference files accessed; credentials in those files were encrypted; no leak evidence is known and this was not a ransomware event, but brute-force activity against the cloud backup service/API. SonicWall issued updated preferences files that randomize local passwords, reset TOTP bindings, and rotate IPSec VPN keys; importing them will reboot the firewall and disrupt IPSec VPN until peer keys are updated. [1][2][3] (sonicwall.com)

Overview

SonicWall detected suspicious activity against the cloud backup service used to store firewall preference files for MySonicWall accounts and confirmed a security incident in the preceding days. The company terminated unauthorized access, began an investigation with law enforcement, and notified affected customers. Fewer than 5% of firewalls had backup files accessed. While passwords inside these backups were stored in encrypted form, the files also contain operational details (e.g., user entries, interface/service settings, VPN parameters) that could help an adversary target the corresponding devices if secrets are not rotated. SonicWall emphasizes that this was a series of brute‑force attempts against the cloud backup service/API—not a ransomware event—and that it has no evidence the files were leaked online. [1][2] (sonicwall.com)

To reduce risk, SonicWall provided each affected organization with a newly generated preferences file and a remediation path: import the updated configuration (which randomizes local user passwords, resets TOTP bindings, and rotates IPSec pre‑shared keys) or perform the steps manually using a published “Essential Credential Reset” checklist. SonicWall cautions that importing will trigger a failover/reboot and temporarily break IPSec VPNs until matching keys are updated at peer endpoints. [1][3] (securityweek.com)

BleepingComputer reports SonicWall’s spokesperson attributed the intrusion vector to brute‑force attempts against the API service for cloud backups and reiterated the <5% scope. [2] (bleepingcomputer.com)

Context: Although unrelated to this incident, SonicWall SonicOS vulnerability CVE‑2024‑40766 was added to CISA’s KEV catalog on September 9, 2024, indicating active exploitation in the wild at that time. This elevates the importance of strict WAN access control and credential rotation while responding to any SonicWall‑related exposure. [4] (cisa.gov)

Impact

If an exposed backup corresponds to a firewall that has not rotated secrets, an adversary could:

  • Reuse or brute‑force local account passwords, attempt TOTP re‑enrollment, or leverage directory bind accounts if those credentials aren’t changed everywhere they’re used. [3] (sonicwall.com)
  • Abuse IPSec or SSL VPN configurations, especially if static pre‑shared keys or tokens remain unchanged, enabling unauthorized network access. [3] (sonicwall.com)
  • Modify access rules, NAT, or management exposure to create backdoors or disrupt services, leading to downtime and potential data exposure. [2][3] (bleepingcomputer.com)

Operationally, importing SonicWall’s updated preferences file will reboot the active device and disrupt IPSec VPN tunnels until peer keys are reconfigured, which must be planned to minimize business impact. [1] (sonicwall.com)

Affected Products & Versions

  • SonicWall firewalls that had preferences (configuration backup) files stored in MySonicWall cloud backups. Impacted devices/serials are flagged upon login to MySonicWall. [1] (sonicwall.com)
  • Not a software vulnerability; scope is independent of specific SonicOS versions and depends on whether cloud backup of preferences was enabled and accessed. [1] (sonicwall.com)
  • For contextual hardening (separate from this incident): SonicWall advisory SNWLID‑2024‑0015 for CVE‑2024‑40766 lists impacted versions and patch builds. [5] (nvd.nist.gov)

Exposure & Exploitability

  • Vector: Series of brute‑force attempts targeting the cloud backup service/API to access stored preference files associated with certain MySonicWall accounts. [1][2] (sonicwall.com)
  • Preconditions: The organization had enabled cloud backups for the firewall, and the associated account/API access was successfully brute‑forced. [1][2] (sonicwall.com)
  • Exploit maturity: No leak evidence reported; nonetheless, SonicWall assesses exposure could materially ease follow‑on exploitation if secrets aren’t rotated. [1][2] (sonicwall.com)
  • KEV context (separate issue): CVE‑2024‑40766 is KEV‑listed, indicating adversaries actively target SonicWall environments; this heightens urgency to apply least‑privilege WAN access and rapid credential rotation. [4] (cisa.gov)

Detection & Telemetry

SOC guidance (prioritize during containment window):

  • Identity and VPN access
    • Monitor spikes in failed/successful logins to SSL VPN and web/SSH management from new ASNs/hosted VPS providers; look for password spraying patterns (MITRE ATT&CK: Brute Force, T1110; Valid Accounts, T1078). [1][3] (sonicwall.com)
    • Track TOTP resets or re‑enrollment events and forced password changes for local users shortly after the disclosure window.
  • Configuration integrity
    • Alert on “configuration imported,” sudden policy/NAT/rule changes, and management interface exposure toggles from WAN. Restrict changes to maintenance windows with change tickets. [1] (sonicwall.com)
  • VPN posture
    • Detect IPSec tunnel drop/re‑establish sequences to unrecognized peers following key rotations; correlate with administrative activity. [3] (sonicwall.com)
  • Directory and auth infrastructure
    • Rotate and monitor LDAP bind accounts, RADIUS/TACACS+ shared secrets, and SNMPv3 users; alert on failed auth to these services from the firewall after password changes (T1552.001, Credentials in Files; T1110). [3] (sonicwall.com)
  • External reconnaissance
    • Watch for rapid enumeration of published services opened by new rules or NATs, especially if management/SSL VPN exposure expands unexpectedly (T1190, Exploit Public-Facing App, as a defensive lens).

Note: As of publication, no vendor IOCs beyond behavioral guidance and configuration checks have been publicly posted; prioritize anomaly‑driven detections grounded in the above telemetry. [1][3] (sonicwall.com)

Mitigations & Patching/Workarounds

Immediate steps from SonicWall (execute in order):

  1. Containment: Disable or restrict management, SSL VPN, IPSec VPN, and other WAN‑exposed services to known IPs before resets. [3] (sonicwall.com)
  2. Remediation: Systematically rotate all local user passwords, TOTP bindings, directory bind credentials, RADIUS/TACACS+ secrets, IPSec pre‑shared keys, DDNS/email/FTP automation credentials, and any API tokens used by services integrated with the firewall—both on the firewall and on the external services they touch. [3] (sonicwall.com)
  3. Optional accelerated path: Import SonicWall’s updated preferences file (randomized local passwords, reset TOTP bindings, rotated IPSec keys). Plan for a maintenance window because the active firewall will reboot; IPSec tunnels remain down until peer keys are updated. [1] (sonicwall.com)
  4. Verification: Review logs/audit trails for unusual activity and re‑export a fresh “golden” backup after remediation completes. [3] (sonicwall.com)
  5. Hardening context: Independently ensure all devices are patched per SNWLID‑2024‑0015 for CVE‑2024‑40766; restrict WAN access to management and VPN portals to trusted sources only. [5][4] (nvd.nist.gov)

Timeline

  • September 9, 2024: CISA adds SonicWall CVE‑2024‑40766 to KEV (contextual hardening relevance). [4] (cisa.gov)
  • September 17, 2025 (04:40 AM PDT): SonicWall publishes “MySonicWall Cloud Backup File Incident” KB; subsequent text clarifications the same day. [1] (sonicwall.com)
  • September 17, 2025: BleepingComputer reports the incident; SonicWall spokesperson confirms <5% scope and brute‑force against the cloud backup API. [2] (bleepingcomputer.com)
  • September 17, 2025: SonicWall publishes “Essential Credential Reset” and “Remediation through updated preferences file” KBs. [3] (sonicwall.com)
  • September 18, 2025 (05:41 AM ET): SecurityWeek publishes additional reporting and remediation details. [6] (securityweek.com)

References

  1. SonicWall Knowledge Base — MySonicWall Cloud Backup File Incident (scope, nature of attack, guidance). (sonicwall.com)
  2. BleepingComputer — SonicWall warns customers to reset credentials after MySonicWall breach (API brute‑force, <5% impact). (bleepingcomputer.com)
  3. SonicWall Knowledge Base — Essential Credential Reset (containment, remediation, monitoring). (sonicwall.com)
  4. CISA Alert — CISA adds CVE‑2024‑40766 to Known Exploited Vulnerabilities (KEV) on September 9, 2024. (cisa.gov)
  5. NVD — CVE‑2024‑40766 advisory metadata and KEV note (SonicOS improper access control). (nvd.nist.gov)
  6. SecurityWeek — SonicWall prompts password resets after firewall configurations exposed in breach. (securityweek.com)
  7. SonicWall Knowledge Base — Remediation through updated preferences file (file effects, reboot/failover, IPSec key updates). (sonicwall.com)

Cathy Gaphty

Cathy is a cybersecurity-focused technical writer who turns complex security concepts into clear, usable content for practitioners and decision-makers. She partners with security engineers, analysts, and product teams to create architecture guides, API references, runbooks, and user documentation for the Léargas Security platform, and its integrated systems. Her work supports incident response, threat detection, and compliance initiatives aligned to frameworks such as NIST CSF and ISO 27001.

Cathy favors a docs-as-code approach with Git and Markdown, validating steps in lab environments to ensure accuracy down to commands and configurations. Known for crisp, audience-specific writing and meticulous reviews, she bridges the gap between security theory and day-to-day operations.

    Recommended Posts

    Fortinet Authentication Bypass Vulnerabilities Exploited
    Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance
    AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing
    FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance