State-Sponsored Hackers Behind SonicWall’s September Security Breach
SonicWall has reported a significant security breach in September 2025, attributing the incident to state-sponsored hackers. This breach involved unauthorized access to firewall configuration files from the company’s MySonicWall cloud backup system.
Details of the September Security Breach
In September, SonicWall urged its customers to reset their credentials after discovering that backup files related to MySonicWall accounts were accessed. Initially, SonicWall assessed that fewer than 5% of its clients were affected, claiming that no sensitive files were compromised at that time. However, the situation escalated on October 8 when the company confirmed that attackers accessed the preference files of all firewalls utilizing its cloud backup service.
Impact of the Breach
- The breach exposed encrypted credentials and configuration files.
- These files could potentially facilitate further attacks on affected systems.
- SonicWall is actively notifying impacted users and providing tools for assessing the situation.
The company has updated its device lists to prioritize remediation efforts for the various affected firewall models. It has strongly advised users to reset their passwords in light of the incident.
Investigation and Findings
According to SonicWall and cybersecurity firm Mandiant, the breach is unrelated to any ongoing Akira ransomware incidents or SSLVPN attacks. Mandiant’s investigation indicated that the unauthorized activity was confined to accessing cloud backup files through an API call, without any impact on SonicWall products, firmware, or customer networks.
Response to the Threat
Responding to the situation, SonicWall is implementing fixes recommended by Mandiant and is enhancing its security measures with the help of external experts. As targeted attacks from state-sponsored entities become more prevalent, particularly against edge security providers, SonicWall remains committed to fortifying its defenses and supporting its partners and small-to-medium business (SMB) clients.
The company’s announcement emphasized its proactive strategy, aligning its platform for future security challenges posed by nation-state-backed threats.
