On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. As of October 8, 2025, the investigation has concluded and SonicWall has updated their advisory accordingly.
While the original SonicWall advisory stated that under 5% of customers using the MySonicWall configuration file backup feature were affected by the incident, the finalized verbiage now specifies that all customers who have used SonicWall’s cloud backup service were affected.
Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service should urgently prioritize resetting credentials on live firewall devices to avoid unauthorized access. SonicWall states that only Gen 7 and newer firewalls individually encrypt credentials and secrets in exported configuration files using AES-256.
SonicWall has indicated that they are now working to contact all affected customers and partners, and have provided instructions on how to definitively check if an organization’s backed up configuration files were affected in this incident.
Impact
Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network. These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates. In the past, Arctic Wolf has observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use in future attacks.
Recommendations
SonicWall has provided an in-depth advisory page with up-to-date details on this incident. They provide a list of recommendations to help identify and remediate devices that are affected. Additionally, SonicWall has set up a dedicated support team to help organizations remediate this security incident. If you need assistance, log in to MySonicWall and open a new case.
Check MySonicWall For Known Affected Serial Numbers
SonicWall has provided comprehensive and final lists of impacted devices on the MySonicWall portal under Product Management > Issue List. These lists include a field identifying each device as one of the following:
- “Active – High Priority”: Devices with internet-facing services enabled.
- “Active – Lower Priority”: Devices without internet-facing services.
- “Inactive”: Devices that have not pinged home to MySonicWall for 90 days or longer.
Perform Containment Steps
For each device confirmed to be affected through MySonicWall, SonicWall recommends that several containment steps are completed to reduce the risk of exposed firewall configurations being abused for unauthorized access during the remediation process.
At a high level, these steps include:
- Disable or restrict access to HTTP/HTTPS & SSH Management over the WAN.
- Disable or restrict access to SSL VPN, IPSEC VPN, and SNMP until the remediation actions below have been completed.
- Disable or restrict inbound WAN access to internal services allowed via NAT/Access Rules.
Import New Configuration File
To limit the possibility of exploitation during the remediation of this incident, SonicWall customers may receive communications from SonicWall providing a new configuration file (also referred to as a preference file), created and modified from the latest configuration backup file identified in MySonicWall cloud storage, to import onto impacted firewalls.
This new configuration file makes changes to enhance security and support remediation efforts:
- All local user passwords are randomized. Users will not be able to access resources until a password reset is conducted.
- TOTP binding is reset, if enabled.
- IPSecVPN keys randomized. IPSec VPNs will not work until the updated keys are manually configured on the peer IPSec termination points.
These changes can be done manually if the latest configuration file does not represent your organization’s desired settings. After reconfiguring all relevant credentials and settings, create a new system backup and export the new configuration file.
Reset Stored Credentials in Firewall Configuration
In a knowledge base article related to this incident, SonicWall provides a list of 7 categories of credentials that should be reset, ordered by criticality:
1. Core Authentication Systems (Critical – Do First)
-
- Local Authentication
- Reset local admin password
- Local Authentication
-
-
- Reset and enforce strong passwords for all local users
-
-
- Multi-Factor Authentication
-
-
- Reset TOTP for all users
-
-
-
- Require users to re-bind authenticator apps
-
-
- External Authentication
-
-
- Update LDAP bind account password
-
-
-
- Update LDAP server entries in SonicOS
-
-
-
- Reset shared secrets for RADIUS and/or TACACS+ authentication
-
2. VPN & Remote Access Infrastructure (Critical – After Core Auth)
-
- IPSec VPN
-
-
- Replace all pre-shared keys in site-to-site configurations
-
-
-
- Update GroupVPN policies
-
-
- WAN Interfaces
-
-
- Reset passwords for L2TP, PPPoE, and PPTP interfaces
-
-
-
- Coordinate with ISP for corresponding account password changes
-
-
- SSLVPN
-
-
- Reset passwords in all SSLVPN bookmarks
-
3. Cloud & External Integrations (High Priority)
-
- AWS Integration
-
-
- Rotate IAM access keys used for Logging and VPN integration
-
-
- Dynamic DNS
-
-
- Reset provider account password on provider site
-
-
-
- Update DDNS entries in SonicOS
-
-
- Network Access Control (Clearpass)
-
-
- Reset NAC server account passwords
-
-
- SNMP Monitoring
-
-
- Reset passwords for SNMPv3 users
-
-
- WWAN Backup
-
-
- Update passwords for cellular backup connections
-
4. Email & Reporting Services (Medium Priority)
-
- Email Logs
-
-
- Reset credentials for accounts used in log automation/alerts
-
-
- FTP/HTTPS Reporting
-
-
- Reset credentials for servers used in:
-
-
-
- Log automation
-
-
-
- Packet Monitor
-
-
-
- Settings and TSR scheduled reports
-
-
-
- Dynamic address objects/groups
-
-
-
- Dynamic Botnet list server
-
-
- AppFlow Reporting
-
-
- Reset passwords for SMTP/POP accounts used in AppFlow SFR reports
-
5. Wireless Infrastructure (Medium Priority)
- Wireless Interfaces & Profiles
-
- Update shared keys for internal wireless interfaces, APs, and virtual APs
- SonicPoint/SonicWave
-
- Reset SSLVPN management password
-
- Reset administrator passwords on each access point
- Wireless RADIUS
-
- Reset internal RADIUS server shared secrets for wireless authentication
-
- Reset RADIUS shared secrets for wireless zone objects
-
- Update LDAP bind account password if used for wireless auth
6. User Services & SSO (Low Priority)
- Guest Services
-
- Reset shared secret for External Guest Authentication
- SSO Features
-
- Reset shared secrets for:
-
- SSO Agent
-
- Terminal Services Agent (TSA)
-
- SSO RADIUS Accounting clients
-
- Third-party SSO API clients
- Accounting
-
- Reset RADIUS/TACACS+ shared secrets for Accounting server entries
7. Infrastructure & Legacy Systems (Low Priority)
- NTP
-
- Reset passwords for any custom NTP servers
- Signature Proxy
-
- Reset proxy server password used for signature updates
- Extended Switches
-
- Reset management passwords on integrated Dell/SonicWall switches
- GMS (Legacy)
-
- Update IPSec Management Tunnel encryption keys
- Routing Protocols
-
- Update passwords for protocols including RIP, OSPFv2, and BGP
For detailed instructions on how to perform each of these types of credential resets, SonicWall has provided an index of relevant knowledge base articles and step-by-step instructions on how to update each type of credential.
References
