SonicWall 2024: Every Cloud Firewall Backup Breached in Major Supply Chain Attack
Executive Summary
In June 2024, SonicWall confirmed that the previously disclosed breach of its cloud backup service was far more extensive than initially announced. The attack resulted in unauthorized access to firewall configuration backups for 100% of customers using SonicWall's cloud backup platform, rather than the 5% originally estimated. The compromise exposed sensitive customer network data, including credentials and VPN configurations, after attackers exploited vulnerabilities in SonicWall’s systems. This breach underscores significant supply chain risks, as attackers targeted third-party-managed infrastructure to circumvent perimeter defenses.
This incident highlights the rising threat of supply chain attacks targeting security vendors themselves, which can expose downstream customer environments. With increasing regulatory scrutiny and heightened awareness of lateral movement risks across managed services, organizations must revisit both technical and vendor controls to ensure comprehensive zero trust segmentation and backup protection.
Why This Matters Now
The SonicWall breach demonstrates the cascading risk from supply chain compromises in security infrastructure, enabling attackers to bypass enterprise network protections and threaten sensitive configuration data. As threat actors increasingly exploit trusted platforms and backup services, organizations face new urgency to strengthen oversight, implement robust encryption, and verify cloud service security.
Attack Path Analysis
Attackers initially compromised the SonicWall cloud backup infrastructure, likely exploiting trust or access weaknesses in the supply chain. They escalated privileges to access and manipulate large volumes of firewall backup files. Lateral movement enabled them to traverse internal cloud components or customer isolation boundaries. The attackers established command and control to coordinate actions and maintain persistence. Sensitive customer firewall configurations were exfiltrated from the cloud backup infrastructure. The breach’s impact included exposure of all customers’ firewall backup files, increasing the risk of subsequent attacks or lateral breaches.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained unauthorized access to SonicWall's cloud backup service, likely via compromised credentials or a third-party supply chain vulnerability.
Related CVEs
CVE-2024-53704
CVSS 9.8An improper authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
Affected Products:
SonicWall SonicOS – 7.1.1-7058 and earlier, 7.1.2-7019, 8.0.0-8035
Exploit Status:
exploited in the wildCVE-2024-40766
CVSS 9.3An improper access control vulnerability in SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash.
Affected Products:
SonicWall SonicOS – Gen 5 and Gen 6 devices, Gen 7 devices running SonicOS 7.0.1-5035 and older versions
Exploit Status:
exploited in the wildCVE-2023-44221
CVSS 7.2A post-authentication command injection vulnerability in the SMA 100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.
Affected Products:
SonicWall SMA 100 Series – SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts
Data from Local System
Exfiltration Over Alternative Protocol
Data from Cloud Storage Object
Impair Defenses
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Audit Trails for All System Components
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Protect Sensitive Data
Control ID: Data Pillar: Data Protection
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
SonicWall firewall backup breach exposes critical financial infrastructure to supply-chain attacks, compromising encrypted traffic controls and zero trust segmentation required for regulatory compliance.
Health Care / Life Sciences
100% firewall configuration exposure threatens HIPAA-compliant encrypted traffic and east-west segmentation, creating vulnerabilities in patient data protection and medical device network security.
Government Administration
Supply-chain compromise of all SonicWall firewall backups poses severe national security risks, exposing government network configurations and undermining zero trust architecture implementations.
Computer/Network Security
Cybersecurity firms using SonicWall face credibility crisis as 100% backup breach exposes client network configurations, threatening threat detection capabilities and multicloud security visibility.
Sources
- SonicWall: 100% of Firewall Backups Were Breachedhttps://www.darkreading.com/cyberattacks-data-breaches/sonicwall-100-firewall-backups-breachedVerified
- Product Notice: SSLVPN and SSH Vulnerability in SonicOShttps://www.sonicwall.com/support/notices/product-notice-sslvpn-and-ssh-vulnerability-in-sonicos/250107100311877Verified
- More than 400 SonicWall firewall instances remain vulnerable to attackhttps://www.cybersecuritydive.com/news/445-sonicwall-firewall-vulnerable/740881/Verified
- CISA Confirms Exploitation of SonicWall Vulnerabilitieshttps://www.infosecurity-magazine.com/news/cisa-exploitation-sonicwall/Verified
- Product Notice: Improper Access Control Vulnerability in SonicOShttps://www.sonicwall.com/support/knowledge-base/product-notice-improper-access-control-vulnerability-in-sonicos/240822062732757Verified
- Ransomware gangs target SonicWall vulnerabilityhttps://www.threatdown.com/blog/ransomware-gangs-target-sonicwall-vulnerability/Verified
- SonicWall breach hit every cloud backup customer, not 5%https://www.theregister.com/2025/10/09/sonicwall_breach_hits_every_cloud/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive CNSF controls—especially zero trust segmentation, east-west security, and strict egress policy enforcement—could have restricted unauthorized access, detected abnormal lateral movement, and prevented or severely limited exfiltration of sensitive firewall backups, thus constraining nearly every critical attack stage.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized resource access by enforcing least privilege and segmentation.
Control: Multicloud Visibility & Control
Mitigation: Enables early detection of unauthorized privilege elevations via centralized monitoring.
Control: East-West Traffic Security
Mitigation: Blocks or alerts on unauthorized internal movement between backup workloads.
Control: Threat Detection & Anomaly Response
Mitigation: Identifies and alerts on suspicious remote connectivity or persistent connections.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or flags unauthorized data transfers out of cloud environments.
Minimizes blast radius and expedites containment to reduce organizational impact.
Impact at a Glance
Affected Business Functions
- Network Security
- Remote Access Services
- Data Protection
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to firewall configuration backups containing encrypted credentials and network configurations, potentially facilitating targeted attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement identity-driven zero trust segmentation to restrict access to sensitive backup and management services.
- • Enforce strict east-west workload isolation between cloud tenants and backup sets to prevent lateral movement.
- • Operationalize centralized multicloud visibility with continuous anomaly detection for early compromise identification.
- • Deploy egress policy enforcement and inline IPS to detect and block unauthorized exfiltration attempts from cloud infrastructure.
- • Automate incident response and policy updates via cloud-native security fabric to minimize detection and containment times.
