Executive Summary
In August 2025, Marquis Software Solutions, a Texas-based fintech firm serving over 700 banks and credit unions, experienced a ransomware attack. The breach was traced back to unauthorized access through its SonicWall firewall, leading to the exposure of sensitive data, including names, addresses, Social Security numbers, and financial account information of over 400,000 individuals associated with 74 financial institutions. The attackers exploited a known but unpatched vulnerability in SonicWall’s firewall software (CVE-2024-40766), allowing them to infiltrate Marquis's network and deploy ransomware. This incident underscores the critical importance of timely patch management and the potential risks associated with third-party service providers. (techradar.com)
The Marquis breach highlights the escalating trend of cyberattacks targeting supply chain vulnerabilities, emphasizing the need for organizations to scrutinize the security postures of their vendors. Additionally, it serves as a stark reminder of the consequences of delayed patching, as threat actors increasingly exploit known vulnerabilities to gain unauthorized access to sensitive data.
Why This Matters Now
The Marquis breach underscores the urgent need for organizations to prioritize timely patch management and to rigorously assess the security measures of their third-party vendors. As cyberattacks targeting supply chain vulnerabilities become more prevalent, businesses must adopt a proactive approach to safeguard sensitive data and maintain customer trust.
Attack Path Analysis
Attackers exploited a vulnerability in SonicWall's firewall to gain unauthorized access to Marquis's network, escalating privileges to access sensitive data. They moved laterally within the network, establishing command and control channels, exfiltrating personal and financial information of over 780,000 individuals, and deploying ransomware to encrypt critical systems, causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a known vulnerability in SonicWall's firewall (CVE-2024-40766) to gain unauthorized access to Marquis's network.
Related CVEs
CVE-2024-40766
CVSS 9.8A critical vulnerability in SonicWall SonicOS allows unauthenticated remote attackers to execute arbitrary code, potentially leading to full system compromise.
Affected Products:
SonicWall SonicOS – Gen 5, Gen 6, Gen 7
Exploit Status:
exploited in the wildCVE-2024-53704
CVSS 9.8An authentication bypass vulnerability in SonicWall SonicOS SSLVPN service allows remote unauthenticated attackers to hijack active SSL VPN client sessions.
Affected Products:
SonicWall SonicOS – 7.1.x (7.1.1-7058 and older), 7.1.2-7019, 8.0.0-8035
Exploit Status:
exploited in the wildCVE-2025-40601
CVSS 7.5A stack-based buffer overflow vulnerability in SonicWall SonicOS SSLVPN service allows unauthenticated remote attackers to cause Denial of Service (DoS) attacks, potentially crashing the firewall.
Affected Products:
SonicWall SonicOS – Gen 8, Gen 7
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Compromise Software Supply Chain
Valid Accounts
Exploitation of Remote Services
Data Encrypted for Impact
Data from Cloud Storage
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: Pillar 3
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FinTech breach via firewall vendor creates supply-chain liability concerns, requiring enhanced zero trust segmentation and egress security controls.
Computer/Network Security
SonicWall lawsuit highlights vendor accountability risks, demanding stronger encrypted traffic inspection and multicloud visibility across security solutions.
Information Technology/IT
Third-party security vendor breaches expose lateral movement vulnerabilities, necessitating Kubernetes security and anomaly detection capabilities.
Legal Services
Marquis v. SonicWall case establishes precedent for breach liability disputes, affecting compliance frameworks and vendor responsibility contracts.
Sources
- Marquis v. SonicWall Lawsuit Ups the Breach Blame Gamehttps://www.darkreading.com/cloud-security/marquis-sonicwall-lawsuit-breach-blame-gameVerified
- SonicWall tells customers to patch SonicOS flaw allowing hackers to crash firewallshttps://www.techradar.com/pro/security/sonicwall-tells-customers-to-patch-sonicos-flaw-allowing-hackers-to-crash-firewallsVerified
- SonicWall confirms all of its cloud backup customers were affected by data breachhttps://www.techradar.com/pro/security/sonicwall-confirms-every-cloud-backup-customer-was-hit-by-data-breachVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data within Marquis's network, thereby reducing the overall impact of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not have prevented the initial exploitation of the firewall vulnerability, it could have limited the attacker's ability to exploit this access to move further into the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could have limited the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships between systems.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could have restricted the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could have detected and disrupted command and control communications by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could have limited data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF may not have entirely prevented the deployment of ransomware, it could have limited the spread and impact by isolating infected systems and restricting their communication with other parts of the network.
Impact at a Glance
Affected Business Functions
- Client Data Management
- Compliance Reporting
- Marketing Operations
Estimated downtime: 14 days
Estimated loss: $500,000
Personally Identifiable Information (PII) of customers from multiple banks and credit unions.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Regularly update and patch all systems, including firewalls, to mitigate known vulnerabilities.
