The SonicWall Data Breach has prompted the company to urge customers to reset credentials after a security incident exposed encrypted firewall configuration backup files stored in its cloud service. SonicWall confirmed that less than 5% of its MySonicWall accounts were affected in the breach, which was the result of brute-force attacks.
Limited Exposure but Urgent Mitigation Steps
According to SonicWall, unknown threat actors targeted the cloud backup service for its firewalls, gaining access to backup preference files. While credentials contained in the files were encrypted, the data also included information that could make it easier for attackers to exploit related firewalls.
The SonicWall Data Breach was not a ransomware event targeting its infrastructure. Instead, it was a series of brute-force attempts against stored preference files, with no evidence yet that the compromised files have been leaked online.
To minimize risks of SonicWall Data Breach, company has recommended that customers immediately:
- Log in to MySonicWall.com to confirm whether cloud backups are enabled.
- Verify if affected device serial numbers are flagged in their accounts.
- Restrict access to management services from the WAN.
- Disable HTTP, HTTPS, and SSH management, along with SSL VPN and IPSec VPN.
- Reset all passwords and time-based one-time passwords (TOTPs) saved on firewalls.
- Review system logs and configuration changes for unusual activity.
The company has also provided new preference files for affected customers, which include randomized passwords, reset TOTP bindings, and refreshed VPN keys. SonicWall cautioned users to only apply the new files if they accurately reflect their intended firewall configurations.
Broader Threat Landscape and Exploitation Risks
The disclosure of the SonicWall Data Breach comes as SonicWall devices continue to be targeted by threat groups. In particular, actors linked to the Akira ransomware operation have been exploiting an earlier vulnerability tracked as CVE-2024-40766, which carries a critical CVSS score of 9.3. This flaw, if left unpatched, can provide attackers with initial access to networks through vulnerable SonicWall appliances.
In a recent case detailed by Huntress, attackers leveraged SonicWall VPN weaknesses to escalate their access and bypass security protections. The incident revealed how adversaries used a plaintext recovery file to sidestep multi-factor authentication (MFA), suppress security alerts, and uninstall endpoint detection and response (EDR) agents. Researchers warned that such techniques highlight the risks of treating recovery codes as less sensitive than privileged credentials.
“This level of access can be weaponized to disable defenses, manipulate detection tools, and execute further malicious actions,” Huntress researchers noted. “Organizations should treat recovery codes with the same sensitivity as privileged account passwords.”
With attackers increasingly focused on exploiting network security devices, SonicWall stressed the importance of patching vulnerabilities, monitoring configurations, and applying layered security defenses. The company also underscored its commitment to supporting affected customers and enhancing resilience against future brute-force attempts.
Strengthening Firewall Security Practices
The SonicWall Data Breach highlights the importance of strict credential management and proactive defense measures for organizations relying on firewalls as core security components. While SonicWall has moved quickly to mitigate potential risks, security experts advise enterprises to combine vendor-provided updates with their own monitoring and incident response protocols.
To protect data from the SonicWall Data Breach, the priority of the customers remains to reset affected credentials, apply the modified preference files where appropriate, and continue reviewing network activity for anomalies. With cyber adversaries actively probing for weaknesses in security infrastructure, maintaining vigilance over firewall configurations and recovery mechanisms will be critical in reducing future exposure.
