Stolen credentials, compromised backups – what companies need to know now
SonicWall has been hit by two security incidents. Since October 4, 2025, security researchers have been tracking targeted attacks on SonicWall SSL VPNs, in which cybercriminals are using stolen credentials to log into customer systems. At the same time, brute-force attacks have been launched against the MySonicWall customer portal—gaining access to cloud backups of firewalls. Both incidents highlight just how dangerous credential theft has become for networked systems.
Attacks on cloud backups
According to Huntress, over 100 SonicWall accounts across 16 customers have been compromised so far. The attackers used valid credentials to log in via SSLVPN interfaces. In some cases, no further attacks occurred after login; in others, network scans were performed and local Windows accounts were compromised. Of particular concern: Cloud backups in the MySonicWall portal were also compromised—including firewall configurations and stored login credentials.
Risk to affected customers
Although the stored backups are encrypted using AES-256, once attackers have valid login credentials, they could potentially modify configurations or access sensitive data. Administrators should therefore check immediately to see if their accounts are affected—especially if cloud backups are enabled.
Recommended Immediate Actions
SonicWall strongly advises affected companies to:
- Reset login credentials immediately and prioritize internet-connected firewalls.
- Restrict or disable WAN access until the threat has been contained.
- Allow HTTP/HTTPS, SSH, VPN, and SNMP access only from within the network.
- Install SonicOS versions 6.5.5.1 or 7.3.0, as these include security features to protect compromised accounts.
Affected customers can also check the MySonicWall portal under "Product Management" → "Issue List" to see if their serial numbers are associated with the incidents.
Focus on Cloud Security
According to Advens’ Threat Status Report 2025, credential theft remains one of the most common attack vectors. Cloud portals and central management interfaces are particularly targeted. The SonicWall case demonstrates that organizations using cloud backups should not only rely on encryption but, above all, on multi-factor authentication, monitoring, and regular incident response tests.
Conclusion: Strengthen your grip, practice your reaction
Recent incidents highlight that stolen credentials can bypass even strong encryption. Cloud backup solutions must therefore be consistently secured in accordance with zero-trust principles. Companies using MySonicWall should review their security architecture now and ensure that rapid incident response processes are in place—even in an emergency—before attackers can act.