TSI Advisory: Protecting Your Network After the SonicWall Cloud Breach

Christopher Souza | CEO

When your firewall vendor’s own cloud infrastructure is compromised, the risk extends directly to your network perimeter. That is exactly what many organizations are facing following the September 2025 breach of SonicWall’s MySonicWall cloud backup service. Backups of complete firewall configurations, including credentials, network rules, and other critical backup details were accessed during an attack on SonicWall’s internal systems.

Technical Support International (TSI) detected signs of this issue more than two weeks before SonicWall’s public announcement and, in coordination with our security partner Arctic Wolf, provided evidence that helped confirm the breach; as a precaution, TSI temporarily disabled certain external firewall services, including SSL-VPN, to protect client environments. While these early measures reduced immediate risk, SonicWall’s subsequent confirmation revealed that the exposure was broader than initially reported, potentially affecting any organization using the cloud configuration backup feature and marking this as one of the most serious firewall security events of 2025.

What Happened and Why It’s Important

SonicWall’s investigation, conducted with assistance from Mandiant, determined that attackers gained access to every backup configuration file stored in the cloud. These files included sensitive data such as VPN configurations, access policies, and administrative credentials. Even though the credentials were encrypted, threat actors could decrypt them offline or use configuration insights to stage highly targeted attacks.

Soon after the disclosure, multiple cybersecurity firms observed active exploitation attempts against SonicWall SSL-VPN devices. Attackers appeared to be using valid credentials rather than brute-force tactics, which strongly suggests that the stolen backup data was already being weaponized. With a turnaround that fast, it is vital to take action as soon as possible.

Recommended Immediate Actions

SonicWall’s breach requires direct and comprehensive action. TSI recommends that affected organizations prioritize the following steps immediately:

• Verify Exposure: Log into your MySonicWall portal and review whether your devices use the cloud backup feature. If so, assume compromise until confirmed otherwise.
• Reset All Credentials: Perform full password and key resets for firewall administrators, VPN users, API accounts, and any related services. This includes re-provisioning MFA tokens to invalidate any compromised one-time password seeds.
• Rebuild Secure Configurations: Remove unnecessary local accounts, rename default administrators, and validate that MFA is enforced on every login. Where possible, disable SSL-VPN access until secure reconfiguration is complete.
• Review Network Policies: Confirm that management interfaces are not accessible from the public internet. Restrict administrative access to trusted IP ranges only.
• Apply Firmware Updates: Ensure your SonicWall devices are running the latest firmware recommended by the vendor, which addresses several recently disclosed vulnerabilities, including CVE-2024-40766.
• Monitor for Anomalies: Increase monitoring for unusual login attempts, unexpected configuration changes, or outbound data transfers. Log review and SIEM correlation are essential at this stage.

TSI is already coordinating these steps for affected clients, performing credential resets and validation checks to restore security integrity. Remediation may take several hours depending on the complexity of your firewall and network configuration, but the process is critical to prevent credential reuse or unauthorized access known to cripple organizations.

A Wider Lesson in Vendor Trust and Cloud Data Risk

This incident underscores a growing truth in cybersecurity: vendor-managed cloud services are part of your attack surface. Even trusted providers can become indirect entry points if their systems are breached. The SolarWinds compromise in 2020 offered a similar lesson. That supply-chain attack showed how infiltrating a single trusted platform could cascade across thousands of organizations. SonicWall’s backup breach may not be as large in scale, but the impact mechanism is strikingly similar.

It is important to view this event not as a reason to abandon SonicWall, but as a signal to demand stronger transparency and better security practices from every vendor. SonicWall has taken commendable steps to investigate and communicate updates as new information emerges and vows to work with top-tier forensic partners to improve its defenses.

Contact Us Today: TSI Can Help

This breach underscores that cybersecurity extends far beyond patching firmware or enforcing MFA. True network resilience requires a comprehensive approach, including careful management of vendor-hosted services, verification of every access point, limiting cloud-stored data, and maintaining local encrypted backups under your control. By treating every system, including third-party managed components, as potentially vulnerable, organizations can better withstand even unexpected supply-chain events. Always expect the unexpected!

Thank you for taking the time to read our blog. As always, we’re here to help you implement these best practices. Whether you need full credential resets, firewall configuration reviews, or secure re-enablement of remote access services, our team is ready to guide you every step of the way. Contact TSI today to schedule your firewall security review and ensure your organization remains protected against evolving threats.

About Technical Support International

TSI is 37-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.