All SonicWall firewall cloud backups stolen, admins urged to act immediately

Published: 10 October 2025
SonicWall

A threat actor has accessed all firewall cloud backups belonging to customers of SonicWall, a major VPN, firewall, and other network security solutions provider. The firm has updated its advisory, which previously claimed the data breach affected less than 5% of its firewall install base.

On the 17th of September, SonicWall alerted all customers to log in to their customer accounts to verify whether their devices are at risk.

Due to the sensitivity of the breach, network administrators should act quickly. The cloud backup files contain encrypted credentials and configuration data.

ADVERTISEMENT

“While encryption remains in place, possession of these files could increase the risk of targeted attacks, “ SonicWall said in the updated advisory.

“We urge all partners and customers to log in and check for their devices.”

Has my data been leaked?
Check Now

The firm provides updated and comprehensive final lists of impacted devices in the MySonicWall portal, and says it is working to notify all impacted partners and customers.

Devices with internet-facing services are of the highest priority. However, all SonicWall Firewalls with preference files backed up in MySonicWall.com are affected.

The firm has released detailed essential credential reset guidelines for network admins, which include critical remediation steps, such as resetting passwords for all local users, resetting TOTP (time-based one-time) passwords for all users, and updating credentials for other services and interfaces.

SonicWall also says it will provide additional guidance to customers who use the Cloud Backup feature but do not find the serial numbers flagged in the issue list on the account page.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us
ADVERTISEMENT

According to the previous report, a malicious actor performed a series of brute-force techniques against its MySonicWall.com web portal and gained access to firewall cloud backups.

This year, SonicWall has been dealing with a few critical security vulnerabilities, some of which are actively exploited by attackers.

SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) were found to contain a deserialization of untrusted data vulnerability, enabling unauthenticated remote attackers to execute arbitrary remote commands.

In August, Shadowserver Foundation alerted about over 3,200 SonicWall upatched SMA100 devices vulnerable to another stack-based buffer overflow vulnerability. Almost 1,500 devices remain unpatched to this day.

All SonicWall security advisories are available in the firm’s Vulnerability List.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT