SonicWall Cloud Backup Breach: Full Customer Impact Revealed

Article illustration 1

SonicWall has confirmed that all customers who used its cloud backup service had firewall configuration files stolen in a September security breach. This alarming update significantly expands the incident's scope—previously estimated to affect just 5% of firewall customers. The exposed .EXP files contain AES-256-encrypted credentials and configuration data that could provide threat actors with blueprints to bypass network defenses.

The Anatomy of the Breach

The breach targeted MySonicWall, the vendor's customer portal for managing product licenses, firmware updates, and—critically—cloud backups of firewall configurations. On September 17, SonicWall warned customers to reset credentials after discovering unauthorized access to these backup files. At the time, the company believed only a fraction of users were impacted.

Article illustration 2

Yesterday's update, following a Mandiant-led investigation, revealed the true scale: Every organization that ever used SonicWall's cloud backup service is affected.

Critical Remediation Steps

SonicWall emphasizes that exposed configurations "could make exploitation of firewalls significantly easier." Administrators must immediately:

  1. Reset passwords for all local user accounts and temporary access codes (TOTP)
  2. Update credentials on LDAP/RADIUS/TACACS+ servers
  3. Rotate shared secrets in all IPSec site-to-site and GroupVPN policies
  4. Change passwords for L2TP/PPPoE/PPTP WAN interfaces
  5. Reset the Cloud Secure Edge (CSE) API key

"Access to the exposed firewall configuration files contain information that could make exploitation of firewalls significantly easier for threat actors," — SonicWall Security Advisory

Ongoing Risks and Monitoring

While credentials are AES-256 encrypted, determined attackers could crack weak passwords or leverage configuration details for targeted attacks. Admins should:

  • Check impact status via MySonicWall → Product Management → Issue List
  • Prioritize internet-facing firewalls
  • Monitor for new alerts despite SonicWall declaring the investigation closed

This breach underscores the hidden risks of cloud-stored configurations. As network blueprints increasingly reside in vendor-managed clouds, organizations must weigh convenience against centralized attack surfaces. Configuration backups—while operationally essential—become crown jewels for attackers seeking to bypass perimeter defenses. The incident serves as a stark reminder that in modern security, trust must be continually validated, not assumed.

Source: BleepingComputer reporting on SonicWall security advisory