SonicWall MySonicWall platform breached, firewall config files exposed

The SonicWall cybersecurity company is reporting a data breach affecting its MySonicWall cloud platform that exposed sensitive firewall configuration backup files, potentially compromising the network security of multiple organizations. 

The attack was caused by a series of coordinated account-by-account brute-force attacks targeting the API service used for cloud backup functionality within the MySonicWall platform. 

SonicWall confirmed that threat actors gained unauthorized access to firewall configuration preference files stored in certain MySonicWall accounts through these persistent brute-force attacks. The company immediately terminated the unauthorized access point is collaborating with cybersecurity agencies and law enforcement to investigate the incident.

Exposed data includes:

• Firewall configuration backup files with network topology and security rules
• Encrypted passwords and authentication credentials
• VPN configuration details and access credentials
• API keys and authentication tokens
• Shared secrets and encryption keys
• Network access policies and firewall rules
• Service account credentials and authentication parameters
• LDAP and RADIUS server connection details
• Dynamic DNS provider information
• Email provider authentication details
• IPSec VPN peer configuration data

SonicWall claims that the incident affects fewer than 5% of SonicWall's total firewall install base, but the specific number of affected customers or devices is not disclosed. 

Update - as of 8th of October 2025, SonicWall reports that all customers who used its cloud backup service to store firewall configuration files were impacted by a recent data breach. The company said the threat actors accessed the preference files of all firewalls that were configured to back up the files to the MySonicWall cloud backup service.

All customers should log in to their MySonicWall.com accounts and check if there are cloud backups for their registered firewalls. 
The company urges customers to reset all their passwords and to follow the steps described in its containment and mitigation documentation.

Affected customers must immediately reset all passwords, API keys, shared secrets, and encryption keys stored within their firewall configurations. The company warns that credentials may need to be updated not only on SonicWall devices but also with external services including Internet Service Providers, Dynamic DNS providers, email providers, remote IPSec VPN peers, and LDAP/RADIUS servers that rely on the compromised configuration data.

Customers can verify their exposure by logging into their MySonicWall accounts, where affected serial numbers are flagged with informational banners. Those without cloud backup functionality are not affected by this incident. SonicWall has established a dedicated support team to assist organizations with remediation efforts and continues to work with law enforcement and cybersecurity agencies to investigate the attack's full impact.

As of 10th of October 2025, the cybersecurity firm Huntress is warning on October 10, 2025, of active attacks targeting SonicWall SSL VPN devices of multiple customer environments using the compromised information.

As of 5th of November 2025, SonicWall has blamed “state-sponsored threat actors” for breach. In an update posted on the company’s website, SonicWall said it completed the investigation into the incident, and confirmed that the malicious activity was “carried out by a state-sponsored threat actor” and was “isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call.”