Emergency Security Bulletin: Leakage of Firewall Configuration Data via MySonicWall Cloud Backups

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Leakage of Firewall Configuration Data via MySonicWall Cloud Backups

Identifier: MySonicWall Cloud Backup File Incident
Update: MySonicWall Cloud Backup File Incident Advisory 

Description: An incident has been confirmed where firewall configuration backup files stored in certain MySonicWall accounts were exposed via unauthorized access. These configuration backups contain sensitive information that could make exploitation of the firewalls significantly easier for threat actors (for example, private keys, VPN configuration, passwords). SonicWall has terminated the unauthorized access point, is working with law enforcement and cybersecurity agencies, and is investigating the scope of the exposure. If your MySonicWall account has cloud backups enabled and your firewall serial number is listed in your account with an informational banner, your device may be impacted. The exposure increases risk of targeted attacks, credential abuse, or network compromise.

Mitigation Recommendation:   

• Immediately log into your MySonicWall account and check whether cloud backups are enabled. If yes, verify if your firewall serial number is flagged as impacted.
   
• Reset credentials for all local user accounts, especially those stored in backup/preference files, including passwords and TOTP bindings.
   
• Update your firewall preferences file with the new version provided by SonicWall; the updated preferences file randomizes local user passwords and resets VPN keys and TOTP bindings.
   
• Export your current firewall configuration to a local, secure backup and maintain "golden image" backups offline.
   
• If operating in a high-availability setup, schedule the updates during a maintenance window, noting that importing the updated preferences will cause a reboot of the active firewall.
   
• Limit access to cloud backup features or disable them if not needed.
  Monitor firewall logs and account activity for unusual login attempts, credential change events, or configuration exports/backups.