In September 2025, SonicWall experienced a security breach attributed to state-sponsored threat actors who gained unauthorized access to firewall configuration backup files stored in a specific cloud environment. The attackers exploited an API call vulnerability or misconfiguration to access these cloud backup files, which contained sensitive firewall configurations for customers using SonicWall's cloud backup service. The breach affected less than 5% of customers utilizing this service, and SonicWall confirmed that no products, firmware, or other systems were compromised. The company engaged Mandiant, a Google-owned cybersecurity firm, to conduct a thorough investigation and adopted their remediation recommendations to harden both network and cloud infrastructure. SonicWall released tools to help customers identify impacted services and reset credentials to mitigate further risk. The incident is distinct from other ongoing ransomware campaigns targeting firewall and edge devices globally. This breach underscores the growing trend of nation-state actors targeting edge security providers, particularly those servicing small and medium-sized businesses (SMBs) and distributed environments, to gain footholds for espionage or further attacks. The attack vector via cloud backup API access highlights the critical need for securing cloud environments and access controls. While no known exploits are currently active in the wild, the exposure of firewall configurations could enable attackers to map network defenses or launch subsequent attacks if credentials or configurations are reused or weakly protected.

For European organizations, particularly SMBs relying on SonicWall's cloud backup services, this breach poses a risk of exposure of sensitive firewall configurations, potentially enabling attackers to understand network defenses and exploit them in follow-up attacks. The unauthorized access to backup files could lead to confidentiality breaches, allowing adversaries to gather intelligence on network topology and security controls. This could facilitate lateral movement, targeted intrusions, or disruption of services. Although the breach affected a small subset of customers, the impact on those compromised could be significant, especially if firewall credentials or configurations are reused across environments. European organizations with regulatory obligations under GDPR must also consider the compliance implications of such data exposure. The incident highlights the vulnerability of cloud backup environments and the importance of securing API access, which is critical as many European enterprises increasingly adopt cloud-based security management. The medium severity reflects limited scope but notable potential for targeted attacks, especially in sectors with high-value data or critical infrastructure. The breach also signals a broader trend of state-sponsored actors focusing on edge security providers, which could increase the frequency and sophistication of such attacks in Europe.

European organizations using SonicWall cloud backup services should immediately verify their device status via MySonicWall.com and utilize SonicWall’s Online Analysis and Credentials Reset Tools to identify and remediate impacted services. Beyond these steps, organizations should enforce strict API access controls, including the use of least privilege principles and multi-factor authentication for all cloud management interfaces. Regularly audit and monitor cloud backup environments for unusual API activity or access patterns. Implement network segmentation to limit the impact of any compromised firewall configurations. Rotate and strengthen credentials associated with firewall management and cloud services, avoiding reuse across systems. Employ robust logging and alerting mechanisms to detect anomalous access attempts promptly. Organizations should also engage in threat intelligence sharing to stay informed about evolving tactics used by state-sponsored actors targeting edge security providers. Finally, conduct regular security assessments and penetration testing focused on cloud backup and API security to identify and remediate vulnerabilities proactively.