On October 9, 2025, SonicWall disclosed a security breach where an unauthorized actor accessed firewall configuration backup files stored in the cloud for all customers who utilized SonicWall's cloud backup service. These backup files contain encrypted credentials, firewall rules, routing configurations, and other sensitive device settings. The breach was enabled by a brute-force attack against SonicWall's cloud backup API, which reportedly lacked basic security controls such as rate limiting and robust authentication mechanisms. While the credentials within the backups remain encrypted, attackers now possess the encrypted data and configuration details that could facilitate offline password cracking and targeted exploitation of the related firewalls. SonicWall initially underestimated the scope, claiming less than 5% of customers were affected, but later acknowledged all cloud backup users were impacted. The company is actively notifying customers and partners, providing tools for device assessment and remediation, and prioritizing devices based on their exposure level (internet-facing services and recent activity). SonicWall has since hardened its infrastructure by enhancing logging, implementing stronger authentication controls, and urging customers to verify their backup status on MySonicWall.com. The incident underscores the risks of insufficient API security and the potential for attackers to leverage leaked encrypted credentials and configuration data to mount complex, targeted attacks against firewall devices. No known exploits are currently active in the wild, but the breach raises significant concerns about credential strength and the security of cloud backup services for critical network infrastructure.

For European organizations, this breach poses a significant risk to network security and operational integrity. SonicWall firewalls are widely used across Europe in sectors including finance, healthcare, government, and critical infrastructure, making the exposure of backup configurations a potential vector for targeted attacks. Attackers possessing encrypted credentials and detailed firewall configurations could attempt offline password cracking, potentially gaining unauthorized access to firewall management interfaces. This could lead to manipulation of firewall rules, enabling lateral movement, data exfiltration, or disruption of services. The risk is heightened for organizations with weak password policies or those that have not promptly applied remediation steps. Additionally, the breach undermines trust in cloud backup services for critical security devices, potentially impacting compliance with GDPR and other data protection regulations if unauthorized access leads to data breaches. The incident also stresses the importance of securing APIs and monitoring for brute-force attempts, which are common attack vectors in Europe’s evolving threat landscape. Organizations relying on SonicWall firewalls must urgently assess their exposure and implement tailored mitigations to prevent exploitation.

European organizations should immediately log into their MySonicWall accounts to verify the presence of cloud backups and check if their devices are listed as impacted. Prioritize remediation for devices labeled as 'Active – High Priority' with internet-facing services enabled. Conduct a comprehensive password audit and enforce strong, complex passwords for firewall management interfaces to mitigate offline cracking risks. Implement multi-factor authentication (MFA) where supported to add an additional security layer. Review and tighten firewall rules and configurations to minimize attack surface exposure. Monitor firewall logs and network traffic for unusual activity indicative of attempted exploitation. Disable or restrict cloud backup features if not essential, or consider alternative backup solutions with stronger security guarantees. SonicWall users should apply any vendor-provided tools and follow updated guidance for containment and remediation. Additionally, organizations should review API security practices, ensuring rate limiting, anomaly detection, and strong authentication are in place to prevent brute-force attacks. Regularly update and patch firewall firmware and management software to incorporate security improvements. Finally, coordinate with cybersecurity incident response teams to prepare for potential targeted attacks leveraging leaked data.