In September 2025, a significant data breach occurred involving SonicWall's MySonicWall cloud backup service, where threat actors accessed and exfiltrated firewall configuration backup files for all customers who used this service. These files include encrypted credentials and detailed firewall configuration data. While the encryption remains intact, possession of these files could enable attackers to conduct targeted attacks, such as credential cracking, configuration manipulation, or lateral movement within affected networks. Initially, SonicWall reported that less than 5% of customers were impacted, but a subsequent update revealed that all firewalls configured to back up to the cloud were compromised. SonicWall has categorized affected devices into three risk levels: 'Active – High Priority' for internet-exposed devices, 'Active – Lower Priority' for non-exposed devices, and 'Inactive' for devices not communicating for 90 days. The company is notifying affected customers and partners, urging them to verify device status via the MySonicWall portal, reset passwords, and follow detailed containment and remediation procedures. SonicWall is also working with cybersecurity firm Mandiant to strengthen cloud infrastructure security and monitoring. Although no known exploits are currently active in the wild, the breach poses a medium severity risk due to the sensitive nature of firewall configurations and credentials, which could be leveraged for sophisticated attacks. This incident underscores the importance of securing cloud backup services and the potential risks of centralized storage of critical security configurations.

For European organizations, this breach poses a significant risk, especially for those relying on SonicWall firewalls with cloud backup enabled. Compromise of firewall configurations can lead to unauthorized access, network infiltration, and potential disruption of critical services. Attackers with access to these configurations could bypass firewall rules, disable security controls, or pivot to other internal systems, threatening confidentiality, integrity, and availability. Organizations with internet-exposed devices are at higher risk of immediate exploitation. The breach could also lead to compliance issues under GDPR due to potential unauthorized access to personal data protected by these firewalls. Additionally, the incident may erode trust in cloud backup solutions and prompt regulatory scrutiny. European sectors with critical infrastructure, finance, healthcare, and government entities using SonicWall products may face increased threat levels, potentially impacting national security and economic stability.

European organizations should immediately log into their MySonicWall accounts to identify if their firewalls have cloud backups stored and check device risk status. They must reset all passwords associated with SonicWall accounts and any credentials stored in the backup files. Organizations should disable cloud backup temporarily until remediation is complete and consider restoring firewall configurations from offline or alternative secure backups. Implement multi-factor authentication (MFA) on all SonicWall and related accounts to reduce unauthorized access risk. Conduct thorough network monitoring for unusual activity, especially lateral movement or changes in firewall behavior. Apply SonicWall’s recommended containment and remediation steps, including firmware updates and security hardening measures released post-incident. Engage with cybersecurity partners like Mandiant for incident response support and forensic analysis. Review and enhance cloud backup security policies, including encryption key management and access controls. Finally, conduct staff training on recognizing phishing or social engineering attempts that may leverage stolen configuration data.