SonicWall Urges Urgent Credential Reset After Backup File Exposure

SonicWall has issued an urgent advisory encouraging customers to reset all login credentials after researchers discovered that configuration backup files from MySonicWall were inadvertently exposed on public storage. 

These files contained encrypted passwords, pre-shared keys, and TLS certificates used by SonicOS appliances, creating the potential for threat actors to decrypt credentials and gain unauthorized access to organizational networks.

Scope and impact of the incident

On Sept. 17, SonicWall published a knowledge base article confirming that firewall configuration backup files in some MySonicWall accounts had been improperly accessible online. 

These configuration files often store sensitive elements such as user and group settings, VPN keys, DNS data, and SSL certificates. Past research shows that both ransomware groups and nation-state actors have leveraged exfiltrated configuration files to plan subsequent attacks.

While SonicWall has contained the exposure and is working with law enforcement, the company cautioned that organizations using its cloud backup feature should act quickly to prevent unauthorized access. 

Customers whose serial numbers were directly impacted now see an informational banner upon logging in to MySonicWall. For those without a listed serial number but who previously enabled cloud backups, additional guidance is forthcoming.

Containment measures

Lock down WAN-facing management

To reduce exposure before resetting passwords, SonicWall advises disabling all WAN-facing management services.

Administrators should turn off HTTP, HTTPS, and SSH access on WAN interfaces, disable SSL VPN and IPsec VPN services, block SNMP v3 to prevent unauthorized access, and restrict inbound NAT or access rules to trusted IP addresses.

For environments running SonicOS 6.5.5.1 or 7.3.0, a dynamic enforcement option can temporarily block accounts until new credentials are applied.

Credential reset and remediation

Administrators should also reset credentials as follows:

• Reset all local user and administrator passwords and rebind TOTP-based authentication apps.
• Rotate shared secrets for LDAP, RADIUS, and TACACS+ accounts, using SHA-256 hashing where applicable.
• Replace all pre-shared keys for IPsec site-to-site tunnels and GroupVPN, ensuring remote gateways are updated.
• Refresh WAN interface credentials (e.g., L2TP, PPPoE, PPTP, cellular) in coordination with ISPs.
• Update encryption keys in the Global Management System (GMS) IPSec Management Tunnel mode.

Cloud integrations, including Dynamic DNS, Clearpass NAC, and email automation services, should also receive updated passwords. Organizations that receive new “preference files” from SonicWall must import them, then reconfigure any desired settings before creating a fresh backup.

Monitoring and ongoing defense

After remediation, administrators should re-enable services gradually, testing each with updated credentials. Continuous monitoring is essential:

• Use Monitor → Logs → System Logs and Audit Logs to identify failed logins or abnormal configuration changes.
• Export logs to CSV for detailed review, or forward data securely to SIEM tools via Syslog over TLS 1.2.
• Audit SSH keys and automation scripts to ensure they reference only new credentials.

These steps help protect network perimeter defenses from exploitation of any previously exposed configuration data.

Broader implications

This incident highlights the importance of securing cloud-managed firewall configurations and maintaining strict credential hygiene. 

Firewall backups often hold the keys to an enterprise’s network perimeter; their compromise can give adversaries insight into authentication methods, VPN access, and trusted integrations. 

Regularly rotating credentials, segmenting administrative access, and monitoring for suspicious authentication attempts can reduce risks from future exposures.