SonicWall Security Incident: What Happened, Who’s Affected, and What You Should Do Now

SonicWall, a widely used provider of firewalls and network security appliances, has confirmed a security incident involving its MySonicWall cloud backup service. According to an official advisory from the Cybersecurity and Infrastructure Security Agency (CISA), a malicious actor gained unauthorized access to configuration backup files stored in the cloud, potentially exposing sensitive device settings and network details.

If your organization uses SonicWall firewalls or remote access services, this incident affects you—even if your systems are still functioning normally.

Who Is Impacted by the SonicWall Incident?

The exposure affects customers who used SonicWall’s cloud-based backup feature within the MySonicWall portal. These backup configuration files (also known as “preference” or EXP files) often contain:

• Firewall settings
• VPN configurations
• Administrative credentials (typically encrypted, but still valuable to attackers)
• Network topologies and security rules

SonicWall has stated that all clients were impacted, and configuration files can provide attackers with valuable insight—even without exposing raw passwords.

What Exactly Happened During the Security Incident?

A threat actor gained access to the MySonicWall portal using brute-force login attempts, successfully retrieving stored configuration backups from customer accounts.

SonicWall confirmed:

“SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident. The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service.”
— SonicWall Knowledge Base Advisory

Even if encryption was in place and you are working with a cybersecurity services provider, knowing how your environment is structured can make targeted attacks significantly easier.

When Did the SonicWall Incident Occur?

• September 22, 2025 — CISA publicly issued an alert regarding the breach.
• SonicWall began notifying customers privately before this date.
• Around the same time, security researchers observed an increase in SonicWall-related attacks, including VPN compromise attempts and MFA bypass activity.

Multiple security firms have linked this activity to ransomware groups who have been actively targeting SonicWall systems.

Why the SonicWall Breach Matters

Even if passwords weren’t directly exposed, configuration data can provide attackers with:

• A map of your network
• A list of user roles and policies
• Knowledge of VPN access points or weakly configured services

This significantly reduces the amount of guesswork required for a cyberattack — especially when combined with known vulnerabilities or reused credentials.

How Attackers May Be Using This Data

The SonicWall security incident has impacted all customers. Reach out to your MSP if you have not already proactively heard from them about next steps to ensure your firewall is secure.

1. Using configuration insights to identify weak spots or exposed services
2. Testing stolen settings against remote access portals (VPN / SSL VPN)
3. Attempting credential reuse or MFA bypass
4. Launching targeted attacks against devices with unpatched vulnerabilities, such as CVE-2024-40766

Even if your systems are still online, silent probing may already be happening.

What to Do If You Use SonicWall Firewalls

If you partner with a managed service provider or cybersecurity company, they may already be resolving this concern for you proactively. You should reach out to understand how they are addressing the SonicWall breach if you have not already heard from them, and to ask for their recommended next steps for you to take.

If you do not have the support of an IT or cybersecurity partner, you should:

1. Log into your MySonicWall account and check your devices. SonicWall marks affected serial numbers internally. If your firewall has stored cloud backups, assume exposure.
2. Reset all local user and VPN credentials — even if encrypted, especially if passwords were migrated from older devices.
3. Update firmware to the latest version immediately. Recent firmware updates include improvements to authentication lockout policies, monitoring, and exploit detection.
4. Disable SSL VPN temporarily if not essential. Or, limit access only to approved IP ranges.
5. Review access logs and configuration changes for anomalies. Look for unexpected logins or packet capture initiation.
6. Contact your security partner (or us) if you need assistance reviewing exposure

Final Takeaway for Businesses Using SonicWall

This incident is a powerful reminder that even secure vendors can become attack vectors—especially when cloud backups are involved. While SonicWall has taken corrective action, stored configurations can live on in attacker hands indefinitely.

At OLS, our team is already monitoring this threat across our client environments. If we manage your network, we are actively reviewing your SonicWall exposure and implementing protections and have already sent out a communication detailing any next steps you may be required to take. Please contact your Account Manager for further support or with any questions.

If you want a full assessment of your current security posture, and are not yet a client with OLS, please reach out to our team today to begin a conversation.

Your firewall protects your business. Let’s make sure it stays that way.

Predictable. Efficient. Safe. IT that’s more than tech—it’s fuel for growth.

On Line Support helps Pacific Northwest SMBs grow with managed IT and cybersecurity built for the real world. We focus on what matters most to your teams and your bottom line: predictable pricing, reliable tech and uptime, smarter workflows, and secure data and communication.