Executive Summary
In September 2025, SonicWall, a prominent cybersecurity firm, experienced a significant data breach affecting all customers utilizing its MySonicWall cloud backup service. Initially, the company reported that fewer than 5% of users were impacted; however, it was later confirmed that every customer using the cloud backup feature was affected. The breach exposed encrypted firewall configuration files containing sensitive data such as network rules, VPN settings, administrative credentials, and service authentication details. Although the files remained encrypted, their exposure heightened the risk of targeted cyberattacks due to the critical nature of the information. SonicWall promptly advised customers to delete existing cloud backups, reset credentials, rotate shared secrets, and transition to local backups to mitigate potential threats. This incident underscores the vulnerabilities inherent in cloud-based services and the importance of robust security measures to protect sensitive data. The breach also highlights the necessity for organizations to maintain vigilance and implement comprehensive security protocols to safeguard against evolving cyber threats.
Why This Matters Now
The SonicWall breach serves as a stark reminder of the critical importance of securing cloud-based services, especially as organizations increasingly rely on them for data storage and management. With the growing sophistication of cyberattacks, it is imperative for companies to implement stringent security measures, conduct regular audits, and ensure rapid response capabilities to protect sensitive information and maintain customer trust.
Attack Path Analysis
The adversary exploited misconfigured cloud services to gain initial access, escalated privileges by manipulating IAM roles, moved laterally through the cloud environment, established command and control channels, exfiltrated sensitive data, and caused significant impact by encrypting cloud backups.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited misconfigured cloud services to gain initial access.
Related CVEs
CVE-2025-5777
CVSS 7.5A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway allows attackers to overread memory, potentially exposing sensitive data such as session tokens and login credentials.
Affected Products:
Citrix NetScaler ADC – 14.1 before 47.46, 13.1 before 59.19
Citrix NetScaler Gateway – 14.1 before 47.46, 13.1 before 59.19
Exploit Status:
exploited in the wildCVE-2025-53770
CVSS 9.8A zero-day vulnerability in Microsoft SharePoint, known as 'ToolShell,' allows attackers to execute arbitrary code remotely, leading to potential data breaches and system compromise.
Affected Products:
Microsoft SharePoint Server – 2019, Subscription Edition
Exploit Status:
exploited in the wildCVE-2025-53771
CVSS 6.5A zero-day vulnerability in Microsoft SharePoint, known as 'ToolShell,' allows attackers to execute arbitrary code remotely, leading to potential data breaches and system compromise.
Affected Products:
Microsoft SharePoint Server – 2019, Subscription Edition
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Valid Accounts
Cloud Infrastructure Discovery
Modify Cloud Compute Infrastructure
Remote Services: Cloud Services
Data from Cloud Storage
Data Destruction
Cloud Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
ISO/IEC 27017 – Access Control to Cloud Services
Control ID: 9.1.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector cloud compromises targeting privileged accounts and directory-synchronized systems pose critical risks to banking infrastructure requiring HIPAA, PCI compliance enforcement.
Health Care / Life Sciences
Cloud ransomware and credential abuse threaten patient data across hybrid environments, with egress security failures enabling exfiltration violating HIPAA requirements.
Information Technology/IT
Zero trust segmentation failures and east-west traffic vulnerabilities expose IT service providers to lateral movement attacks compromising multiple client environments simultaneously.
Government Administration
Third-party compromise vectors and misconfigured cloud services create national security risks through unauthorized access to sensitive government data and critical infrastructure.
Sources
- 2025 Cloud Threat Hunting and Defense Landscapehttps://www.recordedfuture.com/research/2025-cloud-threat-hunting-defense-landscapeVerified
- CISA warns hackers are actively exploiting critical CitrixBleed 2https://www.techradar.com/pro/security/cisa-warns-hackers-are-actively-exploiting-critical-citrixbleed-2Verified
- We're witnessing an urgent and active threat - Microsoft SharePoint 'ToolShell' vulnerability is being attacked globallyhttps://www.windowscentral.com/software-apps/were-witnessing-an-urgent-and-active-threat-microsoft-sharepoint-toolshell-vulnerability-is-being-attacked-globallyVerified
- Tenable Research Finds Pervasive Cloud Misconfigurations Exposing Critical Data and Secretshttps://www.globenewswire.com/news-release/2025/06/18/3101517/0/en/Tenable-Research-Finds-Pervasive-Cloud-Misconfigurations-Exposing-Critical-Data-and-Secrets.html/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the adversary's ability to exploit misconfigured cloud services, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and impact cloud backups by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversary's ability to exploit misconfigured cloud services would likely be constrained, reducing the risk of unauthorized initial access.
Control: Zero Trust Segmentation
Mitigation: The adversary's ability to escalate privileges by manipulating IAM roles would likely be constrained, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: The adversary's ability to move laterally through the cloud environment would likely be constrained, reducing the risk of unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The adversary's ability to establish command and control channels would likely be constrained, reducing the risk of persistent unauthorized communication.
Control: Egress Security & Policy Enforcement
Mitigation: The adversary's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The adversary's ability to encrypt cloud backups would likely be constrained, reducing the risk of data loss and operational disruption.
Impact at a Glance
Affected Business Functions
- Data Storage
- Identity and Access Management
- Backup and Recovery
Estimated downtime: 14 days
Estimated loss: $5,000,000
Sensitive customer data, including personal identifiable information (PII) and authentication credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the cloud environment.
- • Enforce East-West Traffic Security to monitor and control internal traffic flows.
- • Deploy Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud platforms.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
