SonicWall has dramatically expanded the scope of last month's security breach, confirming that all customers using its cloud backup service had their firewall configuration files accessed by unauthorized attackers—a stark reversal from initial reports claiming only 5% were impacted.
The revelation follows a comprehensive investigation conducted with incident response firm Mandiant, which determined that threat actors successfully accessed encrypted firewall configuration backup files (.EXP files) for every customer utilizing SonicWall's MySonicWall cloud backup portal. The breach, first disclosed on September 17, 2025, has escalated from affecting approximately 5% of accounts to a complete compromise of the backup service.
"The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall's cloud backup service," the company stated in its updated October 10 advisory, marking a significant widening of the incident's impact.
While the stolen files contain AES-256-encrypted credentials (3DES encryption for older Gen 6 devices), security experts warn that possession of these configuration backups provides attackers with detailed network topology, enabled services, and encrypted authentication data—information that dramatically simplifies targeted exploitation attempts.
The configuration data itself remains only encoded, not encrypted, making network architecture readily accessible to attackers.
One affected administrator reported their impacted device list exploded from 17 to 112 units, with evidence suggesting the breach occurred as early as July 2025—months before public disclosure.
SonicWall has implemented device prioritization categories in the MySonicWall portal: "Active - High Priority" for internet-facing services, "Active - Lower Priority" for internal devices, and "Inactive" for dormant units. Customers must navigate to "Product Management > Issue List" to verify their exposure and follow comprehensive credential reset procedures.
The company urges immediate action: reset all local user passwords, TOTP codes, VPN shared secrets, LDAP/RADIUS credentials, and API keys. Critical is updating not just SonicWall devices but coordinating changes with ISPs, DNS providers, and authentication servers that rely on the compromised configurations.
This incident compounds SonicWall's security challenges following recent Akira ransomware exploits of CVE-2024-40766.