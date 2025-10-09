SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service.

"The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks," the company said.

It also noted that it's working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices.

The development comes a couple of weeks after SonicWall urged customers to perform a credential reset after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.

The list of impacted devices available on the MySonicWall portal has been assigned a priority level to help customers prioritize remediation efforts. The labels are as follows -

Active – High Priority: Devices with internet-facing services enabled

Active – Lower Priority: Devices without internet-facing services

Inactive: Devices that have not pinged home for 90 days

The latest post-mortem marks an about turn from its initial assessment when it claimed the threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. It also stated that while the credentials within those files were encrypted, they also included "information that could make it easier for attackers to potentially exploit the related firewall."

It's currently not known how many of its customers use the cloud backup service. SonicWall has yet to reveal when the attacks began or who is behind the activity. However, the company said it has since "hardened" its infrastructure, applied additional logging, and introduced stronger authentication controls to prevent a repeat.

Users are advised to follow the steps below with immediate effect -

Log in to MySonicWall.com account and verify if cloud backups exist for registered firewalls

If fields are blank, there is no impact

If fields contain backup details, verify whether impacted serial numbers are listed in the account

If Serial Numbers are shown, users should follow the containment and remediation guidelines for the listed firewalls

SonicWall said in cases where customers have used the Cloud Backup feature but no Serial Numbers are shown or only some of the registered Serial Numbers are displayed, it will provide additional guidance in coming days.