Home 
Date of Incident:
September 2025
Overview:
In September 2025, SonicWall experienced a security incident affecting less than 5% of its firewall install base. The breach involved unauthorized access to firewall configuration backup files via brute-force attacks on the company’s cloud API service. Attackers potentially gained access to sensitive information such as credentials and tokens. While no files were found leaked online, the incident underscores vulnerabilities in API security. SonicWall’s client sector impacted was ‘Others,’ and similar companies include Fortinet and Cisco Systems. The attack techniques were mapped to MITRE ATT&CK, highlighting brute force and unsecured credentials as primary vectors.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Exposure of firewall configuration backup files from MySonicWall accounts. This could enable threat actors to exploit firewalls by accessing sensitive information such as credentials and tokens across affected SonicWall devices. Less than 5% of SonicWall’s firewall install base was impacted. No evidence of leaked files online was found. The attack involved brute-force attempts targeting the API service for cloud backup.
Details:
The breach involved attackers performing brute-force attempts targeting SonicWall’s cloud API service responsible for firewall configuration backups stored via MySonicWall accounts. MITRE ATT&CK techniques mapped include T1110 – Brute Force for initial access, T1003 – Credential Dumping due to potential exposure of credentials, and T1552 – Unsecured Credentials. The payload allowed attackers to access backup files containing firewall configurations, credentials, tokens, and possibly session cookies impacting device firewall integrity and network security posture. IOCs include suspicious API access logs with repeated authentication failures, IP addresses associated with the brute-force attempts, and abnormal outbound API calls in logs. No leaked files have been found online, but logs reveal attempts to extract backup files. Proof-of-concept (PoC) behavior consists of repeated API calls to the backup endpoint with different credential guesses until successful extraction of encrypted configuration files.
Remediation:
SonicWall advises immediate credential resets for all affected users and recommends enabling multifactor authentication (MFA) on MySonicWall accounts. Applying the latest vendor patches that reinforce API authentication rate limits and enhance backup file encryption is critical. Temporary mitigations include throttling API calls and disabling automated backup access until patch deployment. A strict monitoring regime for API traffic and anomaly detection on authentication attempts is also advised.
Takeaway for CISO:
This incident highlights the risk of API vulnerabilities in cloud service backups that may lead to sensitive data exposure and potential network compromise. CISOs should prioritize securing API endpoints with MFA, rate limiting, and continuous monitoring to mitigate brute-force risks. Regularly reviewing backup access logs and enforcing strict credential management policies will mitigate impact in future incidents.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
