SonicWall, a widely used provider of network security solutions, has confirmed a serious breach involving its MySonicWall cloud backup service. This incident has exposed sensitive firewall configuration files, potentially putting thousands of small businesses at risk.
What Happened?
On September 17, 2025, SonicWall disclosed that unauthorized access had occurred to configuration backup files stored in certain MySonicWall accounts. These files contain critical data such as:
- Admin credentials
- VPN pre-shared keys
- LDAP bindings
- Internal IP schema
- Certificates and logging settings
The breach did not stem from a vulnerability in SonicWall’s firewall hardware or SonicOS itself. Instead, attackers gained access to cloud-stored configuration files, which were uploaded by customers for backup and recovery purposes.
Why This Matters to Small Businesses
Small businesses often rely on SonicWall firewalls for perimeter security, VPN access, and remote work infrastructure. The exposed configuration files give attackers a blueprint of your network, allowing them to:
- Reconstruct your firewall setup in a test environment
- Identify weak points
- Launch targeted attacks without detection
If your business uses SonicWall’s cloud backup feature, you may be at risk—even if your firewall is fully patched.
How to Know If You’re Affected
SonicWall has provided a clear way to check:
- Log in to your MySonicWall account: mysonicwall.com
- Check if cloud backups are enabled:
- If not enabled, you are not affected by this breach.
- If enabled, look for informational banners flagging impacted serial numbers.
- If your serial number is flagged, follow SonicWall’s containment and remediation guidelines immediately.
If you’ve used cloud backups but don’t see flagged serials, SonicWall will provide further guidance soon.
What You Should Do Now
SonicWall has released a Remediation Playbook with essential steps for containment, credential resets, and monitoring. Here’s a simplified action plan for small businesses:
🔒 Containment
- Disable WAN access to firewall management interfaces (HTTP/HTTPS/SSH).
- Restrict SSL VPN and IPSEC VPN access to trusted IPs only.
- Disable SNMP and NAT rules that allow inbound WAN access to internal services.
🔑 Credential Reset
- Reset all local user passwords.
- Re-enroll TOTP (two-factor authentication) for all users.
- Update LDAP/RADIUS shared secrets.
- Replace IPSec VPN pre-shared keys on both local and remote endpoints.
- Refresh credentials for WAN interfaces, DDNS, SNMP, and email logging.
🛡️ Monitoring
- Enable logging and alerting for unauthorized access attempts.
- Audit firewall rules and user group permissions.
- Monitor for unusual authentication flows or privilege escalations.
Final Thoughts
This breach is a wake-up call for small businesses relying on vendor-managed cloud services. Treat your configuration backups as sensitive assets, and ensure your firewall governance includes regular credential rotation and access audits.
If you need help implementing these changes, Compass lane’s cybersecurity team is here to assist. Reach out to us for a free consultation and firewall health check.
additional info can be found at their site [SonicWall…icWall …]