SonicWall, a prominent cybersecurity firm, has disclosed a significant security breach involving the unauthorized access and theft of customer firewall configuration backup files from its cloud service. This revelation follows an in-depth investigation conducted in collaboration with Mandiant, a leading cybersecurity company. The breach has impacted all customers who utilized SonicWall’s cloud backup feature, exposing critical network configuration data.
Details of the Breach
The investigation uncovered that threat actors successfully exfiltrated `.EXP` files, which are comprehensive snapshots of firewall configurations. These files encompass vital information about network architecture, security policies, and encrypted credentials for various services. While the credentials within these files remain encrypted, the broader configuration data is only encoded, rendering it readable to unauthorized parties.
Security experts caution that possessing such detailed configuration data provides attackers with a blueprint of a target’s security infrastructure. This knowledge significantly heightens the risk of targeted attacks, as adversaries can identify potential vulnerabilities and may attempt to decrypt the encrypted credentials, especially if weak passwords were employed.
SonicWall’s Response and Mitigation Measures
In response to the incident, SonicWall is proactively notifying all affected partners and customers. The company has introduced tools to assist with assessment and remediation efforts. Within the MySonicWall portal, updated lists of impacted devices have been published, categorizing each device based on its priority:
– Active – High Priority: Internet-facing devices requiring immediate attention.
– Active – Lower Priority: Internal-only devices with a lower risk profile.
– Inactive: Devices that are no longer in use.
Customers are urged to log into the portal, identify their affected devices, and commence the remediation process without delay.
To bolster security and prevent similar incidents in the future, SonicWall has implemented additional hardening measures across its infrastructure. The company continues to collaborate with Mandiant to enhance its cloud security and monitoring systems.
Essential Credential Reset and Remediation Playbook
SonicWall has provided a clear path for mitigation, emphasizing an Essential Credential Reset. Customers are strongly advised to change all passwords and secrets for any service configured on the affected firewalls. To facilitate this process, SonicWall has published a detailed Remediation Playbook and an Online Tool designed to analyze firewall configurations and identify all services that require credential updates.
The company recommends prioritizing high-priority devices first. For customers requiring assistance, a dedicated support team is available through the MySonicWall portal to guide them through the necessary changes and ensure their environments are secured.
Implications for Customers
The theft of firewall configuration backups poses significant risks to organizations. With access to detailed network configurations, attackers can:
– Identify Vulnerabilities: Pinpoint weaknesses in the network setup that can be exploited.
– Plan Targeted Attacks: Use the configuration data to craft sophisticated attacks tailored to the specific network.
– Attempt Credential Decryption: If weak passwords were used, attackers might successfully decrypt the encrypted credentials, gaining unauthorized access to various services.
Given these risks, it is imperative for all affected customers to act swiftly in implementing the recommended mitigation measures.
Broader Context of SonicWall Security Incidents
This breach is not an isolated incident for SonicWall. In recent times, the company has faced multiple security challenges:
– Exploitation of SonicWall Firewalls by Akira Ransomware: In late July 2025, security researchers observed a surge in ransomware attacks leveraging SonicWall devices. The evidence strongly pointed to a zero-day exploit, as intrusions were successful even on fully patched firewalls. In some cases, attackers bypassed multi-factor authentication (MFA), indicating a sophisticated attack vector that circumvents standard security measures. The recent surge in activity, which began as early as July 15, 2025, has been attributed to the Akira ransomware gang. ([cybersecuritynews.com](https://cybersecuritynews.com/sonicwall-firewall-akira-ransomware/?utm_source=openai))
– Critical Vulnerability in SonicOS: SonicWall disclosed a critical security vulnerability affecting its SonicOS management access, identified as CVE-2024-40766. This vulnerability, classified as an improper access control issue (CWE-284), has been assigned a high CVSS v3 score of 9.3. It poses significant risks, potentially allowing unauthorized access to resources and, in certain conditions, causing the firewall to crash. ([cybersecuritynews.com](https://cybersecuritynews.com/sonicwall-sonicos-vulnerability/?utm_source=openai))
These incidents underscore the importance of continuous vigilance and proactive security measures for organizations relying on SonicWall products.
Recommendations for Customers
In light of the recent breach, SonicWall recommends the following actions for all affected customers:
1. Immediate Credential Reset: Change all passwords and secrets for any service configured on the affected firewalls.
2. Utilize Provided Tools: Use the Remediation Playbook and Online Tool to identify and update all services requiring credential changes.
3. Prioritize High-Risk Devices: Focus first on internet-facing devices categorized as Active – High Priority.
4. Engage with Support: Reach out to SonicWall’s dedicated support team via the MySonicWall portal for assistance during the remediation process.
By promptly implementing these measures, organizations can mitigate the risks associated with the breach and strengthen their overall security posture.
Conclusion
The confirmation of the theft of customer firewall configuration backups from SonicWall’s cloud service highlights the evolving threats in the cybersecurity landscape. Organizations must remain vigilant, promptly address vulnerabilities, and adhere to best practices to safeguard their networks and sensitive information. SonicWall’s proactive response and the resources provided aim to assist customers in navigating this incident and enhancing their security defenses.
