(TLP:CLEAR) WaterISAC Advisory – SonicWall Releases Advisory for Customers after Security Incident – 2025
Created: Wednesday, September 24, 2025 - 13:10
Categories: Cybersecurity
Summary: ACTION MAY BE REQUIRED for utilities using SonicWall Firewalls with preference files backed up in MySonicWall.com. Utilities that outsource technology support may want to consult with their service providers for assistance with remediation actions.
On Monday, SonicWall published a security advisory to help its customers with protecting systems impacted by the MySonicWall cloud backup file incident. SonicWall’s investigation found that a threat actor performed a series of brute force techniques against their MySonicWall.com web portal to gain access to a subset of customers’ preference files stored in their cloud backups.
Analyst Note: According to SonicWall’s investigation, attackers gained access to approximately 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that threat actors could exploit to gain access to customers’ SonicWall Firewall devices.
The company added that it’s not presently aware of these files being leaked online by threat actors. Additionally, SonicWall states this was not a ransomware or similar event, rather this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors. SonicWall also released a video explaining the scope of the incident.
In a supplemental advisory released Monday, CISA urged customers to log into their accounts to determine whether their devices are at risk. SonicWall last week began an investigation related to the exposure of firewall configuration backup files, researchers at Arctic Wolf reported.
For more details, potentially impacted customers are encouraged to review the SonicWall support article.
Mitigation Recommendations:
SonicWall encourages logging in to your MySonicWall.com account and verify if cloud backups exist for your registered firewalls and proceed accordingly to SonicWall’s action steps.
Original Source: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
Additional Reading:
- SonicWall customers warned about brute force attacks against cloud backup service
- SonicWall Releases Advisory for Customers after Security Incident
- (TLP:CLEAR) Mass Exploitation of SonicWall Firewalls, Suspected Zero-Day
Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the online confidential incident reporting form.