SonicWall has alerted users about a data compromise affecting its cloud backups for firewall install base, specifically “fewer than 5%” of its devices. The company’s advisory warns of a targeted ransomware campaign targeting SonicWall devices, which security researchers from Arctic Wolf have been tracking since at least July 2025. Hackers used brute force techniques against the MySonicWall.com web portal to gain access to customers’ preference files stored in their cloud backups.
These files contain sensitive information like usernames and passwords for VPN access, other tokens, and configuration details for services running on SonicWall devices. Although no unencrypted data was found, the exposure of these files increases the risk of future exploitation.
SonicWall urges all customers to log in to their accounts and verify if their devices are at risk. They recommend resetting essential credentials and following other mitigation measures. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of this vulnerability, which was also highlighted by Kudelski Security in a report.
It’s worth noting that SonicWall has been dealing with similar issues before. Researchers warn about the uptick in ransomware activity targeting SonicWall firewalls using other vulnerabilities. The updated advisory now includes new indicators of compromise and guidance on updating firmware, resetting local user account passwords, and applying best practices to prevent further exploitation.
Source: https://cybernews.com/security/sonicwall-firewall-cloud-backups-breach