MySonicWall Cloud Backup File Incident

SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident. The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service.

The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks. We are working to notify all impacted partners and customers and have released tools to assist with device assessment and remediation. Updated and comprehensive final lists of impacted devices are now available in the MySonicWall portal (Navigate to the Product Management > Issue List).  To help prioritize remediation efforts, the lists include a field that identifies each device as either:

1) “Active - High Priority” (devices with internet-facing services enabled);

2) “Active – Lower Priority" (devices without internet-facing services); or

3) “Inactive” (devices that have not pinged home for 90 days).

We urge all partners and customers to log in and check for their devices. SonicWall has implemented additional security hardening measures and is working closely with Mandiant to further enhance its cloud infrastructure and monitoring systems.

Affected Products:

• SonicWall Firewalls with preference files backed up in MySonicWall.com

Due to the sensitivity of the configuration files, we highly encourage customers to take the following steps immediately: 

• Log in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls. If you are a SonicWall Unified Management (SonicPlatform) user and are having trouble getting to MySonicWall.com, upon login, click “Cancel” if it asks to take you to SonicPlatform.
  NOTE: Please continue to monitor MySonicWall.com regularly for updates to your affected list.  
  • If fields are blank (Figure 1): You are NOT at risk.
    
    Figure 1 – Does Not Contain Backup
    
    
  • If fields contain backup details (Figure 2): Please continue reading.
    
    Figure 2 – Contains Backups
    
    
• Verify whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List, the affected serial numbers will be flagged with information such as Friendly Name, Last Download Date and Known Impacted Services.
  
  NOTE: The “Last Download Date” indicates when the preferences file was last downloaded (via MySonicWall or firewall UI) or is blank if the date is unknown. If the file was not downloaded on any specified date by the administrator, please take immediate action and follow the remediation steps outlined in the articles.
  
  
  • If Serial Numbers are shown: the listed firewalls are at risk and should follow the containment and remediation guidelines: Essential Credential Reset
    TIP: Focus on “Active – High Priority” units first, followed by “Active – Lower Priority” second.
    NOTE: Impacted Services should be used for general guidance only.  The services listed were identified as being enabled and should be immediately reviewed.  ALL SERVICES WITH CREDENTIALS THAT WERE ENABLED AT, OR BEFORE, THE TIME OF BACKUP SHOULD BE REVIEWED FOR EACH SERIAL NUMBER LISTED. 
    • Technical Containment and Mitigation Documentation can be found at:
      • Essential Credential Reset
      • Remediation Playbook
    • Supporting Analysis and Remediation Tools
      • SonicWall Online Analysis Tool - Online firewall analysis tool to identify services that require remediation.
      • SonicWall Credentials Reset Tool - Offline firewall analysis and remediation tool to identify and prioritize credential-related security tasks + automated local password and TOTP resets.
  • If you have used the Cloud Backup feature but no Serial Numbers are shown or only some of your registered Serial Numbers: 
    
    • • SonicWall is using the final list to determine if your backup files were impacted.
      • Please check back on this page for this additional information: MySonicWall Cloud Backup File Incident

Backup Preference File Facts

File export basics: 

• A firewall settings export (backup) creates a file with the extension .EXP.
• The EXP file contains a full snapshot of the device’s configuration, including credentials and other secrets.
• Its intended use is to restore the source device—or a replacement device—to the exact captured state. 

Protections applied to a locally generated EXP: 

• The file content is encoded (not encrypted).
• Credentials and secrets within the file are individually encrypted with AES-256 in Gen 7 and newer firewalls and 3DES for Gen 6.
• As a result, general configuration details are readable after a simple decode, while passwords/keys remain encrypted.

Additional protections in cloud backup workflow:

• When generated via cloud backup, the EXP file is transmitted to the MSW Cloud Backup API over HTTPS.
• The MSW Cloud Backup API then applies file encryption and compression before storing the file.

Retrieval from cloud backup:

• When a Cloud Backup EXP is downloaded from MySonicWall, the API:
  • Decrypts the full-file encryption applied at upload - restoring it to its original encoded state, with credentials and secrets left encrypted.
  • Transmits the encoded EXP securely over HTTPS to the requester.

We have a dedicated support service team available if you experience any issues with these changes. Please note that you are responsible for completing the required updates. If you encounter problems, log in to your MySonicWall account and open a case with our Support team at: https://www.mysonicwall.com/muir/login.

Change Log:

• 2025-9-17 4:40 AM PDT: Initial publish.
• 2025-9-17 2:45 PM PDT: Minor formatting update.
• 2025-9-17 8:45 PM PDT: Revised incident disclosure text to clarify scope (<5% of firewalls), encrypted credentials, no known leaks, and brute-force (not ransomware) attack.
• 2025-9-18  5:38 AM PDT: Changed formatting and provided detailed steps with screenshots.
• 2025-9-18  9:19 AM PDT: Updated guidance steps, navigation screenshots, and note clarifying review of impacted services.
• 2025-9-18 4:30 PM PDT: Updated KB text and image to clarify affected products, provide step-by-step backup verification instructions, and replace figures showing when backups are or are not present.
• 2025-9-19 1:15 PM PDT: No updates at this time.
• 2025-9-20 9:15 AM PDT: Added a Tip with a video guide and a Note linking to the SonicWall online tool for firewall configuration analysis and remediation guidance.
• 2025-9-22 8:20 AM PDT: No updates at this time.
• 2025-9-22 4:45 PM PDT: No updates at this time.
• 2025-9-24 10:20 AM PDT: Added a Note to check MySonicWall.com periodically for affected list changes.
• 2025-9-24 2 PM PDT: Revised second paragraph to clarify that credentials remain strongly encrypted while certain configuration details are encoded rather than encrypted.
• 2025-10-08 7 AM PDT: Updated statement to reflect final investigation results with Mandiant confirming unauthorized access to firewall configuration backup files for customers using the cloud backup service, with updated device impact lists now available in MySonicWall.
• 2025-10-08 12:15 PM PDT: Removed the text "TIP: Learn more by watching this helpful video guide here."
• 2025-10-09 6:35 PM PDT: Added note explaining the “Last Download Date” field and required action. Added credentials and secrets are encrypted via 3DES for Gen 6.
• 2025-10-10 9:35 AM PDT: Added clarifications for SonicPlatform login issues, updated language to note SonicWall is using the final list of impacted backup files, and included guidance that users must complete required updates themselves with Support available only for troubleshooting.
• 2025-10-21 6:50 AM PDT: No updates at this time.
• 2025-10-27 12:40 PM PDT: Minor formatting updates.
• 2025-10-28 11:10 AM PDT: Restructured bullet list to include "Supporting Analysis and Remediation Tools" and added "SonicWall Credentials Reset Tool" link.