SonicWall Firewall configs stolen for all cloud backup customers

SonicWall Firewall configs stolen for all cloud backup customers

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

SonicWall Firewall configs stolen for all cloud backup customers

Information
 

  MySonicWall is an online customer portal used for managing product access, licensing, registration, firmware updates, support cases, and cloud backups of firewall configurations (.EXP files).

  SonicWall Firewall Cloud Backup is a service that backs up SonicWall firewall configuration to the cloud, allowing users to:

  • Automatically back up firewall configurations
  • Quickly restore configurations in case the device is damaged, reset, or replaced with a new firewall
  • Access data remotely via the MySonicWall account to manage backup files and update configurations..

Incident

  SonicWall has confirmed that all customers that used the company's cloud backup service are affected by the security breach last month.

  Previously, the vendor stated that the incident "exposed firewall configuration backup files stored in certain MySonicWall accounts," without sharing additional details.

  On September 17, the company warned customers to reset their MySonicWall account credentials to protect their firewall configuration backup files that could be potentially accessed by unauthorized actors who had breached its systems.

  SonicWall has completed its investigation, conducted in collaboration with leading IR Firm, Mandiant, into the scope of a recent cloud backup security incident The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall's cloud backup service

  The exposed files contain AES-256-encrypted credentials and configuration data.

Recommendation

  To help administrators navigate the risk stemming from the breach, the company provided the essential steps of the reset procedure, which should cover all credentials, API keys, and users' authentication tokens, VPN accounts, and services

  Users can now check if their devices are among the impacted ones by logging into MySonicWall and going to 'Product Management → Issue List.

Recommendation

  If any action items are pending review there, users should follow the Essential Credential Reset steps, prioritizing active, internet-facing firewalls.

  The company provides a checklist "to ensure all relevant passwords, keys, and secrets are updated consistently." Critical actions refer to the following preocedures:

  • resetting and updating passwords of all local users
  • reseting temporary access codes (TOTP) for local users
  • updating passwords on LDAP, RADIUS, or TACACS+ servers
  • updating the shared secret in all IPSec site-to-site and GroupVPN policies
  • updating the passwords used for any L2TP/PPPoE/PPTP WAN interfaces
  • resetting the Cloud Secure edge (CSE) API key

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-6388

20/6/2025

3/10/2025

Spirit Framework for WordPress All Latest 1.2.14

Authentication Bypass

9.8

This vulnerability allows an attacker to gain immediate, passwordless administrative access. By knowing only the admin’s username, the attacker can take full control of the website to steal data, install malware, or destroy the site.

Updated Version 1.2.15

https://www.cvedetails.com/cve/CVE-2025-6388/
2

CVE-2025-61679

29/9/2025

6/10/2025

Anyquery version 0.4.3 and below

Authentication Bypass

7.7

This vulnerability allows an attacker — even with low privileges — to access the server (via localhost). They can leverage an unauthenticated HTTP server to run SQL commands.

Updated Version 0.4.4

https://app.opencve.io/cve/CVE-2025-61679
3

CVE-2025-11302

4/10/2025

6/10/2025

Belkin F9K1015 version 1.00.10

Buffer Overflow

8.8

This is caused by the software processing the pinCode value without proper length checks, allowing overly long input to overflow into adjacent memory. An attacker can send specially crafted data via the pinCode parameter to cause the router to execute malicious code.

Upgrade to the latest version

https://app.opencve.io/cve/CVE-2025-11302

 
 4

CVE-2025-0130

20/12/2024

5/10/2025

Palo Alto Networks PAN-OS with Web Proxy feature enabled versions prior to 11.2.5

Denial of Service

7.5

An unauthenticated attacker can send a specially crafted sequence of packets to the firewall, causing it to become unresponsive and reboot, which disrupts the network and leaves it unprotected during that time.

Updated Version 11.2.5

https://app.opencve.io/cve/CVE-2025-0130
5

CVE-2025-61733

30/9/2025

3/10/2025

Apache Kylin versions 4.0.0 to 5.0.2

Authentication Bypass

7.5

The authentication mechanism in Apache Kylin contains a flaw in its handling process, allowing an attacker to bypass the configured username and password verification. As a result, an unauthenticated attacker can gain access to functions or data that should be restricted to authorized users only.

Updated Version 5.0.3

https://app.opencve.io/cve/CVE-2025-61733

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations

29/09/2025

Social Engineering,

Malware, Trojanized AI Tools

The EvilAI malware has been discovered disguising itself as popular AI tools and productivity applications such as AppSuite, PDF Editor, and Recipe Lister to trick users into installing it. It targets organizations across multiple sectors worldwide, including government, healthcare, technology, and retail. Notably, the malware is digitally signed using one-time shell companies, making it appear legitimate and helping it evade detection. Once installed, EvilAI scans the system, steals browser data, communicates with the attackers’ command-and-control servers, and can deploy additional malicious payloads. It spreads through fake websites, malicious ads, and deceptive download links shared on social media. Researchers found that EvilAI is part of a larger attack network that shares infrastructure with other campaigns, such as BaoLoader.
  • Limit software downloads to trusted and verified sources only
  • Implement multi-layered security systems.
  • Verify digital signatures and software licenses before installation
  • Keep systems updated and conduct regular user security awareness training.

Ref: Fake Microsoft Teams installers push Oyster malware via malvertising

 

 

 

 

14 October 2025

Viewed 276 time

Engine by shopup.com