SonicWall under attack: CISA issues warning after cloud backup breach

Published: 23 September 2025
Last updated: 23 September 2025
SonicWall firewall
Image by Cybernews.

SonicWall, a major provider of VPNs, firewalls, and other network security solutions, has alerted users about a data compromise affecting cloud backups for “fewer than 5%” of its firewall install base. Security researchers from Arctic Wolf are warning of a targeted ransomware campaign targeting SonicWall devices.

SonicWall released an advisory about suspicious activity that was recently detected targeting its firewall cloud backup service. The vendor confirmed that hackers accessed backups for firewall preference files stored in the cloud during a security incident.

These reference files are used as a restore point for the firewall and contain sensitive information about networks, including usernames and passwords for VPN access, other tokens, and configuration details for services running on SonicWall devices.

ADVERTISEMENT

While the incidents affected less than 5% of the firewall install base and the credentials within the files were encrypted, SonicWall urges resetting them and following other mitigation measures in its advisory.

The incident prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert.

“SonicWall’s investigation found that a malicious actor performed a series of brute force techniques against its MySonicWall.com web portal to gain access to a subset of customers’ preference files stored in their cloud backups,” CISA explains.

Has my data been leaked?
Check Now

“While credentials within the files were encrypted, the files also included information that actors can use to gain access to customers’ SonicWall Firewall devices.”

All SonicWall customers are advised to log in to their customer account to verify if their devices are at risk. All firewall devices with cloud backups could potentially be compromised.

“Review the list of serial numbers that may have been impacted. For each impacted firewall, follow the recommended course of action,” the alert reads.

For each serial number listed, all services with exposed credentials should be reviewed. The immediate remediation measures include an essential credential reset, followed by other instructions.

ADVERTISEMENT

“Although no unencrypted data was found, the exposure of these files increases the risk of future exploitation, especially if the attackers are able to further decrypt or misuse the information,” Kudelski Security said in a report.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

Even before this compromise, hackers have targeted SonicWall firewalls using other vulnerabilities.

Researchers at Arctic Wolf, a cybersecurity company, warn about the uptick in ransomware activity targeting SonicWall firewall devices for initial access.

Since at least late July 2025, Akira Ransomware has exploited other vulnerabilities to gain VPN access through Sonic Wall SSLVPNs.

The updated advisory now includes new indicators of compromise, including dozens of IP addresses used for access and data exfiltration. SonicWall’s guidance urges updating firmware, resetting local user account passwords, and applying other best practices.

Share
Post
Share
Share
Share
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT