On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. SonicWall states that after identifying the incident they began an investigation containing the incident, terminating the ‘unauthorized access point’, and working with law enforcement and select cybersecurity agencies globally.
Considering that sensitive credentials are stored within firewall configurations, affected organizations should urgently prioritize resetting stored credentials to avoid unauthorized access. To provide additional security during the remediation process, SonicWall also provides a set of containment steps that limit the ability of threat actors to authenticate against stolen credentials.
Customers with serial numbers known to be affected by the incident are expected to see a notification banner upon logging in to MySonicWall.com, as outlined in the recommendations section below. SonicWall has also stated that if you have used the cloud backup feature but there are no listed serial numbers in your MySonicWall account, SonicWall will provide additional guidance in the coming days to determine if your backup files have been impacted.
Impact
Firewall configuration files store sensitive information about which can be leveraged by threat actors to exploit and gain access to an organization’s network. These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates. In the past, Arctic Wolf has observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use in future attacks.
Affected Products
SonicWall states that firewall configuration backup files stored in certain MySonicWall accounts were affected, but the full scope of this incident hasn’t been fully detailed by SonicWall at this time. Based on SonicWall’s current advisory, the incident affects SonicWall customers that have backed up configuration files to MySonicWall.
Recommendations
It is recommended that organizations monitor SonicWall’s advisory page for up-to-date details on this incident. They provide a list of recommendations to help identify and remediate devices that are affected.
Additionally, SonicWall has set up a dedicated support team to help organizations remediate this security incident. If you need assistance, log in to MySonicWall and open a new case.
Check MySonicWall For Known Affected Serial Numbers
Here is the process outlined by SonicWall for verifying if specific firewalls are affected by this incident:
- Log into MySonicWall and check if the cloud backup feature is enabled.
- Serial numbers known to be affected by this incident will be marked with an informational banner.
- If no serial numbers are listed but you use or have used the cloud backup feature, SonicWall states they will provide additional guidance in the coming days to determine if those backups were affected by this incident.
Perform Containment Steps
For each device confirmed to be affected through MySonicWall, SonicWall recommends that several containment steps are completed to reduce the risk of exposed firewall configurations being abused for unauthorized access during the remediation process.
At a high level, these steps include:
- Disable or restrict access to HTTP/HTTPS & SSH Management over the WAN.
- Disable or restrict access to SSL VPN, IPSEC VPN, and SNMP until the remediation actions below have been completed.
- Disable or restrict inbound WAN access to internal services allowed via NAT/Access Rules.
Import New Configuration File
To limit the possibility of exploitation during the remediation of this incident, SonicWall customers may receive communications from SonicWall providing a new configuration file (also referred to as a preference file), created and modified from the latest configuration backup file identified in MySonicWall cloud storage, to import onto impacted firewalls.
This new configuration file makes changes to enhance security and support remediation efforts:
- All local user passwords are randomized. Users will not be able to access resources until a password reset is conducted.
- TOTP binding is reset, if enabled.
- IPSecVPN keys randomized. IPSec VPNs will not work until the updated keys are manually configured on the peer IPSec termination points.
These changes can be done manually if the latest configuration file does not represent your organization’s desired settings. After reconfiguring all relevant credentials and settings, create a new system backup and export the new configuration file.
Reset Stored Credentials in Firewall Configuration
In a knowledge base article related to this incident, SonicWall provides a list of 7 categories of credentials that should be reset, ordered by criticality:
- Core Authentication Systems (Critical – Do First)
- Local Authentication
- Reset local admin password
- Reset and enforce strong passwords for all local users
- Multi-Factor Authentication
- Reset TOTP for all users
- Require users to re-bind authenticator apps
- External Authentication
- Update LDAP bind account password
- Update LDAP server entries in SonicOS
- Reset shared secrets for RADIUS and/or TACACS+ authentication
- Local Authentication
- VPN & Remote Access Infrastructure (Critical – After Core Auth)
- IPSec VPN
- Replace all pre-shared keys in site-to-site configurations
- Update GroupVPN policies
- WAN Interfaces
- Reset passwords for L2TP, PPPoE, and PPTP interfaces
- Coordinate with ISP for corresponding account password changes
- SSLVPN
- Reset passwords in all SSLVPN bookmarks
- IPSec VPN
- Cloud & External Integrations (High Priority)
- AWS Integration
- Rotate IAM access keys used for Logging and VPN integration
- Dynamic DNS
- Reset provider account password on provider site
- Update DDNS entries in SonicOS
- Network Access Control (Clearpass)
- Reset NAC server account passwords
- SNMP Monitoring
- Reset passwords for SNMPv3 users
- WWAN Backup
- Update passwords for cellular backup connections
- AWS Integration
- Email & Reporting Services (Medium Priority)
- Email Logs
- Reset credentials for accounts used in log automation/alerts
- FTP/HTTPS Reporting
- Reset credentials for servers used in:
- Log automation
- Packet Monitor
- Settings and TSR scheduled reports
- Dynamic address objects/groups
- Dynamic Botnet list server
- AppFlow Reporting
- Reset passwords for SMTP/POP accounts used in AppFlow SFR reports
- Reset credentials for servers used in:
- Email Logs
- Wireless Infrastructure (Medium Priority)
- Wireless Interfaces & Profiles
- Update shared keys for internal wireless interfaces, APs, and virtual APs
- SonicPoint/SonicWave
- Reset SSLVPN management password
- Reset administrator passwords on each access point
- Wireless RADIUS
- Reset internal RADIUS server shared secrets for wireless authentication
- Reset RADIUS shared secrets for wireless zone objects
- Update LDAP bind account password if used for wireless auth
- Wireless Interfaces & Profiles
- User Services & SSO (Low Priority)
- Guest Services
- Reset shared secret for External Guest Authentication
- SSO Features
- Reset shared secrets for:
- SSO Agent
- Terminal Services Agent (TSA)
- SSO RADIUS Accounting clients
- Third-party SSO API clients
- Accounting
- Reset RADIUS/TACACS+ shared secrets for Accounting server entries
- Reset shared secrets for:
- Guest Services
- Infrastructure & Legacy Systems (Low Priority)
- NTP
- Reset passwords for any custom NTP servers
- Signature Proxy
- Reset proxy server password used for signature updates
- Extended Switches
- Reset management passwords on integrated Dell/SonicWall switches
- GMS (Legacy)
- Update IPSec Management Tunnel encryption keys
- Routing Protocols
- Update passwords for protocols including RIP, OSPFv2, and BGP
- NTP
For detailed instructions on how to perform each of these types of credential resets, SonicWall has provided an index of relevant knowledge base articles and step-by-step instructions on how to update each type of credential.
References
Resources
Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report.
See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.
