📅 October 10, 2025 | ⏱ 4 min read | 🔐 Category: Data Breaches
In a dramatic reversal that highlights the dangers of premature breach disclosures, SonicWall has confirmed that attackers accessed firewall configuration files for every single customer using its cloud backup service—not the “less than 5%” originally reported when the incident came to light in September. The revelation, finalized this week after a comprehensive investigation with incident response firm Mandiant, represents one of the most significant exposures of network security infrastructure in recent memory.
The updated disclosure transforms what appeared to be a contained incident into a widespread compromise affecting potentially thousands of organizations that trusted SonicWall’s cloud platform to store their sensitive network configurations securely. With complete firewall blueprints now in the hands of adversaries, affected organizations face an urgent race to secure their networks before attackers can weaponize the stolen intelligence.
From Limited Incident to Total Compromise
When SonicWall first disclosed the breach on September 17, 2025, the company characterized it as affecting fewer than 5% of customers using the MySonicWall cloud backup feature. This initial assessment suggested a targeted attack with limited scope, allowing many customers to breathe a sigh of relief that they had escaped impact.
That confidence evaporated on October 8 when SonicWall released updated findings confirming that attackers had actually accessed backup configuration files for all customers who had ever used the cloud backup service. The dramatic revision from under 5% to 100% represents either a catastrophic failure in initial incident assessment or a deliberate attempt to downplay the breach’s severity during early response phases.
The attack method reveals fundamental security gaps in SonicWall’s cloud infrastructure. Threat actors executed a brute force attack against the MySonicWall cloud backup API, systematically attempting credentials until they gained access to the repository storing encrypted firewall configuration files. The success of this straightforward attack technique raises serious questions about why basic protective measures like rate limiting and account lockout policies weren’t in place to defend such critical infrastructure.
The Value of Firewall Configuration Files
To understand why this breach is so concerning, it’s essential to grasp what attackers gained access to. Firewall configuration files represent complete blueprints of an organization’s network security posture, containing detailed information about network rules, access controls, routing configurations, VPN settings, and authentication credentials.
These files essentially provide a roadmap showing how traffic flows through an organization’s network, which services are accessible from the internet, what security rules protect different segments, and where potential weaknesses might exist. For sophisticated threat actors, this intelligence dramatically reduces the reconnaissance phase of attack planning and enables highly targeted exploitation attempts.
While SonicWall emphasizes that credentials and sensitive data remain encrypted within the stolen files, security experts warn this protection may prove inadequate against determined attackers. Only SonicWall’s Gen 7 and newer firewalls individually encrypt credentials using AES-256 encryption. Older devices may use weaker encryption schemes, and even strong encryption becomes vulnerable if organizations used weak passwords that can be cracked through offline brute force attacks.
Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, articulated the threat clearly: even without cracking encryption, the configuration data provides enough insight for attackers to plan precisely targeted campaigns. Understanding firewall rules, network topology, and security controls allows threat actors to identify the most promising attack vectors and craft exploitation attempts specifically designed to bypass an organization’s defenses.
Critical Vulnerabilities in Older Devices
The encryption disparity between device generations creates a particularly dangerous situation for organizations operating older SonicWall hardware. While Gen 7 and newer firewalls benefit from individual credential encryption using modern AES-256 algorithms, earlier generation devices lack this protection.
Organizations running legacy SonicWall equipment should consider their credentials fully compromised and prioritize immediate password resets across all administrative accounts, VPN users, and any other authentication credentials stored in firewall configurations. The risk extends beyond just firewall access to potentially include Active Directory credentials, third-party service accounts, and any other authentication tokens that might be referenced in network configurations.
Assessing Your Exposure
SonicWall has published tools to help customers understand their specific risk exposure. Affected organizations can log into the MySonicWall portal and navigate to Product Management > Issue List to view a comprehensive inventory of their devices and their current risk classification.
Each device receives one of three priority designations. Active – High Priority devices are those currently exposed to the internet, making them immediate targets for exploitation attempts using the stolen configuration intelligence. These systems require urgent attention, including immediate credential resets and configuration reviews to ensure no unauthorized changes have occurred.
Active – Lower Priority designations apply to devices not directly exposed to the internet, reducing but not eliminating their risk profile. While these systems may be harder for external attackers to reach, they could still be targeted through other compromise vectors or used as secondary targets once initial access is established elsewhere in the network.
Inactive devices are those that haven’t communicated with SonicWall’s management infrastructure in the past 90 days. While potentially decommissioned, these systems could represent forgotten assets that remain operational and vulnerable, or recently retired equipment whose credentials haven’t been properly rotated.
SonicWall’s Response and Remediation
SonicWall has implemented additional security hardening measures for its cloud infrastructure and continues working with Mandiant to enhance monitoring systems and prevent similar incidents. The company has published detailed remediation guidance and assessment tools to help customers identify and address vulnerabilities in their specific environments.
However, the fundamental question remains: why did a service hosting such extraordinarily sensitive data lack basic protective measures against brute force attacks? The MySonicWall cloud backup API should have implemented rate limiting, account lockout policies, and multi-factor authentication requirements to prevent the attack technique that succeeded here. The absence of these controls suggests either inadequate security architecture or a failure to properly assess the value and sensitivity of the data being protected.
Broader Implications for Cloud Security
The SonicWall incident highlights critical risks associated with cloud-based backup services for security infrastructure. While cloud storage offers convenience and disaster recovery benefits, concentrating sensitive configuration data for thousands of organizations in a single repository creates an attractive target for sophisticated threat actors.
Organizations must carefully evaluate whether the convenience of cloud-based configuration backups justifies the risk of centralized compromise. For some environments, particularly those handling sensitive data or facing advanced persistent threats, locally managed backup solutions may provide better security despite requiring more operational overhead.
The incident also demonstrates how initial breach assessments can dramatically underestimate actual impact. SonicWall’s revision from 5% to 100% affected customers suggests that organizations should view initial breach notifications with healthy skepticism and prepare for potential scope expansion as investigations progress.
Immediate Actions Required
Organizations using SonicWall’s cloud backup service must treat this as a critical security incident requiring immediate response. Priority actions include checking the MySonicWall portal to identify affected devices, immediately resetting all credentials stored in firewall configurations, reviewing firewall rules and configurations for unauthorized changes, and implementing enhanced monitoring for suspicious network activity that might indicate exploitation attempts.
The complete exposure of firewall configurations for all cloud backup users represents a worst-case scenario for network security infrastructure. As threat actors begin weaponizing this intelligence, the organizations that act fastest to reset credentials and harden their defenses will be best positioned to avoid becoming the next breach headline.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
