SonicWall confirmed that a data breach last month affected all customers using the company’s cloud backup service. As a result, firewall configurations stored on MySonicWall were compromised.
MySonicWall is a portal for SonicWall customers that allows them to manage product access, licensing, registration, firmware updates, support requests and cloud backups of firewall configurations (.EXP files).
Users are advised to immediately follow the steps below:
In mid-September 2025, SonicWall urged its customers to change their login credentials as soon as possible, as a cyberattack on MySonicWall accounts had compromised firewall configuration backup files.
At the time, details of the attack were not disclosed, and SonicWall said it had blocked the attackers’ access to the company’s systems and was already cooperating with cybersecurity agencies and law enforcement.
The company has published detailed recommendations designed to help administrators minimize the risk of exploiting stolen configurations. Specifically, it recommends reconfiguring potentially compromised secrets and passwords as soon as possible and monitoring potential attacker activity.
At the time, the provider reported that about 5% of its total customers used the cloud backup service, but the attack had only affected “a few accounts.”
In an update released this week, SonicWall warned that the incident affected all customers using a cloud portal to store firewall configuration files.
SonicWall has completed its investigation, conducted in collaboration with leading customer relationship management company Mandiant, into the scope of a recent cloud backup security incident. The investigation confirmed that an unauthorized party accessed the firewall configuration backup files of all customers using SonicWall’s cloud backup service. The files contain encrypted credentials and configuration data; while encryption remains in effect, possession of these files could increase the risk of targeted attacks. We are working to notify all affected partners and customers and have released tools to support device assessment and troubleshooting. The final, updated and complete lists of affected devices are now available on the MySonicWall portal (go to Product Management > Problem List).
It is noted that the compromised files contain credentials and configuration data encrypted with AES-256.
Users can check if their devices are affected by logging into MySonicWall and going to Product Management -> Issue List. If any pending issues exist, users should follow the steps outlined in the Essential Credential Reset guide, prioritizing active firewalls with internet access.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
