Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
In September 2025, SonicWall disclosed a cloud security incident that quickly drew attention across the cybersecurity community. What initially appeared to affect only a limited number of firewall customers was later found to be far broader, ultimately involving every user of the company’s cloud backup service.
Unauthorized actors gained access to SonicWall’s MySonicWall cloud backup environment through a series of brute-force attacks targeting the MySonicWall portal and its associated API services. Through this access, the attackers were able to obtain firewall preference files stored in the cloud backup system. These files contained encrypted credentials along with detailed network and device configuration data.
At the time of the initial disclosure, SonicWall did not publicly attribute the attack to a specific threat group. Only in later updates did the company indicate that the activity was consistent with the involvement of sophisticated, potentially state-sponsored actors, without naming a specific entity.
As the internal investigation progressed, SonicWall revised its original assessment. The company had first stated that fewer than five percent of firewall customers were affected. Further analysis, however, confirmed that preference files associated with all customers using the cloud backup feature had been accessed.
The files obtained by the attackers included firewall preference data, which effectively represents full device configuration information. This encompassed VPN settings, administrative roles, access rules, network topology details, and encrypted administrator credentials. While the passwords themselves were not available in plaintext, the overall configuration provides deep visibility into how protected environments are structured.
In addition, credentials related to external services – including LDAP, RADIUS, and SNMP integrations – were present within the preference files. Exposure of this information could allow attackers to better understand authentication flows and identify potential points of weakness within affected environments.
The compromise of firewall preference files presents a significant risk even when credentials remain encrypted. Detailed knowledge of firewall rules, segmentation logic, and network architecture can help attackers plan more targeted and effective intrusion attempts over time.
SonicWall stated that it had not identified evidence of the stolen data being actively leveraged in follow-on attacks at the time of disclosure. However, the company acknowledged that such information could retain long-term value for adversaries seeking to exploit it in future operations.
In response, SonicWall worked with cybersecurity firm Mandiant to investigate the incident, strengthen defensive controls, and provide guidance to customers. Affected organizations were advised to reset all credentials associated with cloud backups, rotate secrets, review authentication mechanisms, and apply recommended remediation steps.
These actions included changing administrative passwords, regenerating keys, disabling cloud backups where appropriate, and reinforcing local firewall configurations. Prompt remediation was emphasized as a critical measure to reduce the risk of downstream exploitation.
Despite the scope of the exposure, SonicWall clarified that its core product infrastructure and internal corporate systems were not compromised. The incident was limited to the MySonicWall cloud backup service, although the potential downstream security implications for customers remained dependent on how the exposed data might be used.
Reporting on the incident, ctrlaltnod.com focused on the confirmed technical facts and the evolution of SonicWall’s disclosures, highlighting how cloud-based management services can become high-value targets when they aggregate sensitive configuration data.
The event underscores a broader reality of modern cybersecurity: even encrypted data, when combined with detailed structural information, can offer adversaries a strategic advantage if it falls into the wrong hands.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
