Cybersecurity firm warns exposed backup files could enable "significantly easier" network exploitation.
SonicWall has issued an urgent security advisory after threat actors breached its MySonicWall cloud platform and accessed firewall configuration backup files, potentially exposing sensitive network credentials and authentication tokens that could facilitate widespread corporate network compromises.
The cybersecurity company discovered the unauthorized access and immediately terminated the attack vector while collaborating with law enforcement and global cybersecurity agencies. However, the breach's implications are severe—exposed configuration files contain critical information, including VPN credentials, encryption keys, and authentication tokens that attackers could exploit to penetrate customer networks.
"Access to the exposed firewall configuration files contains information that could make exploitation of firewalls significantly easier for threat actors," SonicWall warned in its transparency notice, emphasizing the incident's potential to amplify cybersecurity risks across its customer base.
The breach affects SonicWall firewalls with preference files backed up to MySonicWall.com. Customers can verify their exposure by logging into their MySonicWall accounts, where affected serial numbers are flagged with informational banners. Those without cloud backups enabled remain unaffected.
SonicWall has published comprehensive remediation guidance requiring administrators to reset all passwords, API keys, shared secrets, and encryption keys.
The company emphasizes updating credentials not only on SonicWall devices but also with external services like ISPs, Dynamic DNS providers, and RADIUS servers that rely on the compromised configuration data.
This incident compounds SonicWall's recent security challenges. In August, the company initially dismissed reports of Akira ransomware exploiting Gen 7 firewalls, later confirmed as attacks leveraging CVE-2024-40766—a critical SSLVPN vulnerability that the Australian Cyber Security Center and Rapid7 verified was being actively exploited.
The breach underscores the cascading risks of cloud-stored network configurations. With firewall settings containing comprehensive network topology and security parameters, their exposure creates a roadmap for sophisticated attacks against enterprise infrastructure.
SonicWall customers should immediately audit their MySonicWall accounts, reset all network credentials, and monitor for suspicious activity across their infrastructure.