SonicWall Breach Far Worse Than Feared: All Cloud Backup Users' Firewall Configs Stolen
SonicWall Confirms Data Breach Compromised Firewall Configuration Backups for All MySonicWall Cloud Backup Customers
Full Report(when first published)
Executive Summary
SonicWall has confirmed a significant escalation of a data breach first disclosed in September 2025. In an update on October 8, the network security vendor stated that an unauthorized third party successfully exploited a vulnerability in its MSW Cloud Backup API and exfiltrated firewall configuration backup files. Critically, the breach impacted every customer who has ever used the MySonicWall cloud backup service, a dramatic increase from the company's initial estimate that less than 5% of its firewall base was affected. The stolen configuration files (.EXP) contain a wealth of sensitive information, including firewall rules, security settings, and encrypted credentials. While SonicWall emphasizes that credentials remain encrypted, the incident provides potential attackers with a detailed blueprint of victim networks, significantly increasing the risk of future targeted attacks. The company is now notifying all customers and providing urgent remediation guidance.
Threat Overview
The incident stems from the exploitation of an unspecified vulnerability in the API for the MySonicWall Cloud Backup platform. This allowed an unauthorized actor to systematically access and download .EXP backup files for the entire customer base of the service. These files are complete snapshots of a firewall's configuration.
The stolen data includes:
- Firewall rules and policies
- Network configuration and objects
- Security service settings
- Encrypted user credentials and pre-shared keys
While SonicWall has stated that sensitive data like passwords are encrypted (using AES-256 on Gen 7 appliances), security experts warn that this is not a complete safeguard. Attackers in possession of both the configuration data and the encrypted values can mount offline attacks or use the configuration details to craft highly convincing social engineering campaigns. The investigation, supported by incident response firm Mandiant, is ongoing.
Technical Analysis
The primary attack vector was a compromised API endpoint. This is a classic example of a breach in a supporting cloud service leading to a compromise of customer data, bordering on a supply chain attack.
MITRE ATT&CK TTPs
T1195.002 - Compromise Software Supply Chain: By compromising the cloud backup service, the attackers have acquired data that can be used to undermine the security of downstream customers.T1213.002 - Data from Cloud Storage: The core of the attack was the exfiltration of.EXPfiles from SonicWall's cloud infrastructure.T1526 - Cloud Service Discovery: Attackers likely probed SonicWall's cloud infrastructure to identify the vulnerable API endpoint.T1078 - Valid Accounts: The stolen configuration files could enable future attacks using valid, albeit potentially weak or brute-forceable, credentials.
Impact Assessment
The impact of this breach is potentially severe for all SonicWall customers who used the cloud backup feature. Attackers now possess a detailed roadmap of their network architecture and security posture. This information can be used to:
- Identify weaknesses in firewall rule sets.
- Craft targeted phishing and social engineering attacks.
- Mount offline brute-force or dictionary attacks against the encrypted credentials.
- Plan future intrusions with intimate knowledge of the target environment.
SonicWall has categorized the risk to help customers prioritize, labeling internet-facing firewalls as "Active – High Priority." The breach erodes trust in SonicWall's cloud services and places a significant remediation burden on its entire customer base.
Cyber Observables for Detection
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| file_name | *.exp |
SonicWall firewall configuration backup file extension. Monitor for these files in unusual locations or being exfiltrated. | DLP, File Integrity Monitoring, EDR | high |
| api_endpoint | MSW Cloud Backup API |
The compromised API. While the specific endpoint is not public, logs related to this service should be reviewed for anomalous access. | Cloud audit logs, API gateway logs | high |
| network_traffic_pattern | Anomalous login attempts post-breach |
Monitor firewall management interfaces for a spike in failed or unusual login attempts, which could indicate attackers trying to use information from the breach. | Firewall logs, SIEM | medium |
Detection & Response
Since the breach occurred on SonicWall's infrastructure, customer-side detection of the initial event is impossible. Response efforts must focus on mitigating the consequences.
- Identify Impacted Devices: Customers must log into the MySonicWall portal to check the list of affected devices provided by the company.
- Threat Hunting: Proactively hunt for any signs of compromise on firewalls, especially those marked as "High Priority." Look for unauthorized configuration changes, new administrative accounts, or suspicious outbound traffic.
- Log Review: Analyze firewall logs for any anomalous access or activity since the breach period in September 2025. This involves leveraging D3FEND techniques like Authentication Event Thresholding (D3-ANET) to spot brute-force attempts.
Mitigation
SonicWall has advised the following urgent actions, which align with D3FEND countermeasures:
- Reset All Credentials: Immediately reset all local and remote user passwords, pre-shared keys for VPNs, and any other secrets stored in the firewall configuration. This is a critical Credential Eviction step.
- Enable MFA: Enforce Multi-factor Authentication (D3-MFA) on all administrative accounts and VPN access to prevent the use of potentially compromised credentials.
- Review and Harden Configurations: Use this opportunity to review all firewall rules and security settings. Remove any unnecessary rules and harden the configuration according to best practices. This falls under D3FEND's Platform Hardening (D3-PH) category.
- Limit Management Access: Restrict access to the firewall's management interface to a limited set of trusted IP addresses. This is a form of Network Isolation (D3-NI).
Timeline of Events
Article Updates
November 8, 2025
SonicWall confirms state-sponsored actor behind September cloud backup breach, exploiting a compromised API call to steal customer firewall configurations.
Update Sources:
MITRE ATT&CK Mitigations
Password Policies
Immediately reset all passwords and pre-shared keys associated with the firewall. Enforce strong, unique passwords going forward.
Mapped D3FEND Techniques:
Multi-factor Authentication
Enable MFA for all administrative access to the firewall and for all remote access VPN users.
Mapped D3FEND Techniques:
Continuously monitor firewall logs for unauthorized access attempts, configuration changes, and other anomalous activity.
Mapped D3FEND Techniques:
Restrict management access to the firewall to a small, well-defined set of trusted IP addresses.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
Given that encrypted credentials were stolen, the most urgent countermeasure is mass credential eviction. All passwords for local users on SonicWall devices must be considered compromised and should be immediately reset. This includes administrative accounts, user accounts, and guest accounts. Furthermore, all pre-shared keys (PSKs) for site-to-site and client VPNs must be changed. This action directly invalidates the secrets stolen by the attackers, even if they manage to decrypt them. Automate this process where possible using configuration management tools. This is not just a password change; it's a forceful invalidation of all secrets contained within the stolen .EXP files to render them useless for direct authentication.
To defend against the future use of any potentially compromised credentials, implementing Multi-factor Authentication is a critical compensating control. MFA should be enforced for all administrative logins to the SonicWall management interface and, just as importantly, for all remote access VPN connections. Even if an attacker decrypts a user's password from the stolen configuration file, MFA will prevent them from successfully authenticating. Prioritize enabling MFA on high-priority, internet-facing firewalls first. This technique fundamentally strengthens authentication and provides a robust defense against attacks leveraging stolen static credentials.
The theft of configuration files provides attackers with a perfect blueprint of your network's defenses. Use this incident as an impetus to perform a full platform hardening review of all SonicWall devices. This involves more than just changing passwords. Audit every firewall rule to ensure it follows the principle of least privilege. Disable any unused services or protocols. Restrict management access to a dedicated, isolated management network or specific trusted source IPs. Ensure logging is enabled and configured to send to a central SIEM. By changing the very architecture the attacker has a map of, you invalidate their intelligence and increase the difficulty of a follow-on attack.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats