SonicWall warned customers today to reset credentials after their firewall configuration backup files were exposed in a security breach that impacted MySonicWall accounts.
After detecting the incident, SonicWall has cut off the attackers’ access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack’s impact.
“As part of our commitment to transparency, we are notifying you of an incident that exposed firewall configuration backup files stored in certain MySonicWall accounts,” the cybersecurity company said on Wednesday.
“Access to the exposed firewall configuration files contain information that could make exploitation of firewalls significantly easier for threat actors.”
The consequences of the incident could be dire, as these exposed backups might give threat actors access to sensitive information, such as credentials and tokens, for any or all services running on SonicWall devices on their networks.
SonicWall has also published detailed guidance to help administrators minimize the risk of an exposed firewall configuration being exploited to access their networks, reconfigure potentially compromised secrets and passwords, and detect possible threat activity within their network.
“The following checklist provides a structured approach to ensure all relevant passwords, keys, and secrets are updated consistently. Performing these steps helps maintain security and protect the integrity of your SonicWall environment. The critical items are listed first. All other credentials should be updated at your convenience,” the company cautioned.
“Please note that the passwords, shared secrets, and encryption keys configured in SonicOS may also need to be updated elsewhere, such as with the ISP, Dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP/RADIUS server, just to name a few.”
This guidance advises administrators to disable or restrict access to services on the device from the WAN before resetting credentials. Then they need to reset all credentials, api keys, and authentication tokens used by users, VPN accounts, and services.
A complete list of the services that need to be reset due to the stolen configuration files is listed in this Essential Credential Reset support bulletin.
BleepingComputer reached out to SonicWall with questions about the incident, but a response was not immediately available.
In August, SonicWall dismissed reports that the Akira ransomware gang was breaching Gen 7 firewalls with SSLVPN enabled using a potential zero-day exploit, stating that it was actually linked to CVE-2024-40766, a critical SSLVPN access control flaw in SonicOS that was patched in November 2024.
Last week, the company’s theory was confirmed when the Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 confirmed that the Akira ransomware gang is now exploiting the CVE-2024-40766 vulnerability to compromise unpatched SonicWall devices.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
