SonicWall has confirmed that every company utilizing its MySonicWall cloud backup feature had their firewall configuration files exposed in a recent cyberattack. Originally reporting that fewer than 5% of customers were impacted, SonicWall has since admitted that the breach affected all users of its firewall cloud backup service.
In mid-September 2025, SonicWall warned customers to reset passwords after threat actors successfully brute-forced access to the MySonicWall cloud platform. This access included backup files with network rules, VPN setups, access policies, admin credentials, and other sensitive details that could allow attackers to better understand network defenses and target future intrusions.
While SonicWall states that encryption remains in place for the stored backups, the possession of these files significantly increases risks for targeted attacks. With up to 500,000 global customers, the potential scope is massive, although the precise number of exposed backups depends on actual customer uptake of the backup feature.
Other services reportedly remain unaffected, but SonicWall urges all users to immediately:
- Delete existing cloud backups
- Rotate all network and service credentials
- Change shared secrets
- Recreate new backups locally—not in the cloud
The company is actively notifying impacted customers and releasing tools to help with device assessment and remediation, warning organizations to stay vigilant for potential follow-up attacks.
