SonicWall has confirmed that an unauthorized actor has accessed firewall configuration backup files for all customers who have used its cloud backup service.
The accessed backup files contain encrypted credentials and configuration data.
“While encryption remains in place, possession of these files could increase the risk of targeted attacks,” the firm noted in the blog updated on October 8.
It is understood that access to the firewall configuration backup files was gained through brute-force attacks. The purpose of the hack appears to have been to use the stolen information for future cyber-attacks.
Suspicious activity targeting the firewall cloud backup service was first detected in early September 2025.
The cybersecurity vendor then disclosed the incident on September 17, warning that threat actors accessed firewall preference files stored in the cloud for around 5% of SonicWall’s firewall install base.
After completing its investigation, in collaboration with Mandiant, SonicWall said it is now working to notify all impacted partners and customers.
“We urge all partners and customers to log in and check for their devices. SonicWall has implemented additional security hardening measures and is working closely with Mandiant to further enhance its cloud infrastructure and monitoring systems,” SonicWall said.
Updated Remediation Tools and Advice
The company said it has released tools to assist with device assessment and remediation.
Customers can view the updated final lists of impacted firewalls in the MySonicWall portal, by to the Product Management > Issue List.
Each device has been assigned a priority level to help customers prioritize remediation efforts. These are:
- Active – High Priority: devices with internet-facing services enabled
- Active – Lower Priority: devices without internet-facing services
- Inactive: devices that have not pinged home for 90 days
Containment and remediation actions should then be taken for listed firewalls, following SonicWall guidance. Security teams should first disable or restrict access to services from WAN.
They should then review and update credentials that were enabled at, or before, the time of backup for each firewall device.
For customers who have used the SonicWall cloud backup feature but cannot see their serial numbers in the portal, SonicWall will provide additional guidance in the coming days.
