CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

First reported
Last updated
4 unique sources, 15 articles

Summary

Hide ▲

Marquis Software Solutions has **filed a lawsuit** against SonicWall, alleging **gross negligence and misrepresentation** in the handling of its MySonicWall cloud backup breach, which directly enabled a **ransomware attack** disrupting **780,000+ individuals** across 700+ U.S. banks and credit unions in August 2025. The lawsuit reveals that SonicWall introduced a **security gap via an API code change in February 2025**, allowing unauthorized access to firewall configuration backups—including AES-256-encrypted credentials and MFA scratch codes. Marquis, whose firewall was fully patched and MFA-enabled, confirms attackers exploited this stolen data to bypass defenses, contradicting earlier assumptions about unpatched devices. The breach exposed **personal and financial data** of Marquis’s clients, triggering **over 36 consumer class-action lawsuits** and prompting Marquis to seek damages, indemnification, and legal fees. The SonicWall incident began as a targeted compromise of its MySonicWall portal, initially reported in September 2025 as affecting fewer than 5% of customers but later revised to confirm **all cloud backup users** were impacted. Stolen configuration files—containing credentials, network topology, and encrypted secrets—fueled follow-on attacks, including the **Marquis ransomware breach** (January 2026 disclosure) and Akira ransomware campaigns abusing OTP seeds to bypass MFA. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but the Marquis lawsuit underscores the **long-tail risks** of exposed backup data, even post-containment. Over **950 unpatched SMA1000 appliances** remain exposed online, while CISA and SonicWall urge firmware updates, credential resets, and MFA enforcement. Legal experts note the case could set a precedent for **vendor liability**, as enterprises increasingly sue cybersecurity providers for contribution or negligence. The lawsuit also highlights the need for robust vendor due diligence and SLAs that address worst-case scenarios, including vendor-caused breaches. SonicWall may face further legal challenges from Marquis’s clients or regulatory actions if found liable for the downstream impact.

Timeline

  1. 17.12.2025 19:44 1 articles · 2mo ago

    SonicWall discloses SMA1000 zero-day attack chain with privilege escalation and RCE

    SonicWall warned of a zero-day attack chain targeting the SMA1000 Appliance Management Console (AMC), involving CVE-2025-40602 (medium-severity local privilege escalation) and CVE-2025-23006 (critical-severity pre-authentication deserialization). Attackers chained these flaws to execute arbitrary OS commands with root privileges under specific conditions. CVE-2025-23006 was patched in build version 12.4.3-02854 and higher (released January 22, 2025), but unpatched SMA1000 appliances remain at risk. Shadowserver tracks over 950 exposed SMA1000 devices online, heightening risks for enterprises, governments, and critical infrastructure. SonicWall PSIRT strongly advises upgrading to the latest hotfix release to address the vulnerabilities. This attack chain does not affect SSL-VPN services on SonicWall firewalls.

    Show sources
    Open in new tab
  2. 11.10.2025 16:30 1 articles · 4mo ago

    Over 100 SonicWall SSL VPN accounts compromised in widespread attack

    Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The activity commenced on October 4, 2025, and originated from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking this compromise to the previously reported breach of MySonicWall accounts.

    Show sources
    Open in new tab
  3. 09.10.2025 14:10 5 articles · 4mo ago

    SonicWall releases remediation tools and guidance for impacted customers

    SonicWall has advised organizations using the MySonicWall cloud configuration backup service to reset credentials, restrict WAN management, revoke external API keys, monitor logins, and enforce MFA. Organizations are also advised to consider the use of valid credentials rather than brute-forcing.

    Show sources
    Open in new tab
  4. 24.09.2025 16:00 1 articles · 5mo ago

    UNC6148 deploys OVERSTEP malware on SonicWall SMA devices

    The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.

    Show sources
    Open in new tab
  5. 23.09.2025 16:15 2 articles · 5mo ago

    SonicWall releases firmware update to remove rootkit malware from SMA 100 devices

    The OVERSTEP malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware allows attackers to remove log entries to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

    Show sources
    Open in new tab
  6. 18.09.2025 17:12 3 articles · 5mo ago

    Akira ransomware group targets unpatched SonicWall devices

    Akira ransomware group bypasses MFA on SonicWall VPN accounts using previously stolen OTP seeds. The group employs Impacket SMB session setup requests, RDP logins, and Active Directory enumeration tools. They target Veeam Backup & Replication servers to extract and decrypt stored credentials. Additionally, the attackers employ BYOVD attacks to disable endpoint protection processes, allowing the ransomware to run without being blocked. This activity impacts devices running SonicOS 7.3.0, the recommended release for mitigating credential attacks.

    Show sources
    Open in new tab
  7. 17.09.2025 19:23 12 articles · 5mo ago

    SonicWall MySonicWall breach exposes firewall configuration files

    The breach affected all customers using the cloud backup service, with exposed files containing AES-256-encrypted credentials and configuration data. Users could verify impacted devices via the MySonicWall portal under 'Product Management → Issue List.' SonicWall initially reported fewer than 5% of customers were affected but later confirmed 100% of cloud backup users were compromised. *Update:* In **January 2026**, **Marquis Software Solutions**—a financial services provider to over 700 U.S. banks and credit unions—publicly attributed its **August 2025 ransomware breach** to threat actors exploiting the stolen configuration files. The attackers used extracted data (including credentials and network details) to circumvent Marquis’s firewall, debunking earlier theories that an unpatched SonicWall device was the initial vector. *New:* Marquis has now **filed a lawsuit** against SonicWall (February 2026), alleging **gross negligence and misrepresentation**. The complaint reveals SonicWall introduced the vulnerability via an **API code change in February 2025**, delayed disclosure by **three weeks**, and **withheld critical information** about the MFA bypass mechanism. The breach exposed **personal and financial data** of Marquis’s clients, impacting **over 780,000 individuals**, and led to **over 36 consumer class-action lawsuits** against the company. Marquis seeks damages, indemnification, and legal fees, marking the first **legal action** tied to the MySonicWall incident. Legal experts note the case could set a precedent for **vendor liability**, as enterprises increasingly sue cybersecurity providers for contribution or negligence. SonicWall may face further legal challenges from Marquis’s clients or regulatory actions if found liable for the downstream impact.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

EDR Killer Tool Abuses Revoked EnCase Kernel Driver

A custom EDR killer tool has been observed using a revoked but still valid EnCase kernel driver to disable 59 security tools. The attack involved breaching a network via compromised SonicWall SSL VPN credentials and exploiting the lack of multi-factor authentication (MFA). The tool terminates security processes using the driver's kernel-mode IOCTL interface, bypassing Windows protections like Protected Process Light (PPL). The intrusion is suspected to be related to ransomware activity, though the final payload was not deployed.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Marquis Software Solutions Ransomware Attack Exposes Data from 74 US Financial Institutions

Marquis Software Solutions, a financial software provider, suffered a ransomware attack on August 14, 2025, through a compromised SonicWall firewall. The breach impacted over 74 US banks and credit unions, exposing personal information of approximately 400,000 customers. The stolen data includes names, addresses, phone numbers, Social Security numbers, financial account information, and dates of birth. Marquis has since taken steps to enhance its security measures, but there is no evidence of data misuse or publication. The attack is suspected to be linked to the Akira ransomware gang, which has been targeting SonicWall VPN devices.

Open in new tab

Cyber Incident Affects Multiple London Councils

Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday morning. The incident has impacted several systems, including phone lines, and both councils have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response. RBKC and WCC share IT systems and services, which may explain the simultaneous impact. Hammersmith and Fulham Council is also reportedly affected. RBKC confirmed that some data has been copied and taken away, potentially impacting historical data. The councils have invoked business continuity and emergency plans to ensure critical services are maintained, focusing on supporting the most vulnerable residents. RBKC's IT team worked throughout the night to implement mitigations. Additionally, Hackney Council raised internal cybersecurity threat levels to 'critical' and warned staff about phishing attacks, despite not being directly affected by this incident. RBKC expects at least two weeks of continued disruption as they bring services back online. Westminster City Council confirmed the disruption would last for several weeks, though most services are still running. Hammersmith and Fulham Council has taken steps to isolate and safeguard its networks, with some systems still unavailable.

Open in new tab

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Open in new tab