SonicWall has disclosed a security incident involving its MySonicWall cloud backup service, confirming that threat actors gained access to a subset of firewall configuration files. The company said that fewer than 5% of its firewall install base was affected, but acknowledged the potential severity of the breach.

The attack involved a series of brute force attempts targeting the MySonicWall.com portal, allowing unauthorized access to firewall preference files stored in cloud backups. While credentials within the files were encrypted, SonicWall warned that “the files also included information that could make it easier for attackers to potentially exploit the related firewall.”

Security researchers noted that these configuration files often contain DNS, log, and user/group settings — sensitive data that could be leveraged in future attacks. As Arctic Wolf researchers pointed out, “nation-state hackers and ransomware groups previously have exploited such information to conduct subsequent attacks.”

SonicWall emphasized that this was not a ransomware event, stating it was “a series of brute force attacks aimed at gaining access to the preference files stored in backup.” The company has terminated the unauthorized backup point and is working with cybersecurity partners and law enforcement to assess the full scope of the breach.

The Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert urging immediate action. “Customers with at-risk devices should implement the advisory’s containment and remediation guidance immediately,” the agency said.

SonicWall has published detailed guidance for users to determine if their firewall devices are affected. Impacted customers are advised to log in to their MySonicWall accounts, check for flagged serial numbers under the Product Management section, and follow the remediation steps, including credential resets and service reviews.

At present, there is no indication that the compromised files have been leaked online. However, the company stated that it will continue to monitor the situation and release further updates as necessary.