CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

First reported
Last updated
4 unique sources, 13 articles

Summary

Hide ▲

SonicWall’s MySonicWall cloud backup breach—initially disclosed in September 2025—has now been directly linked to downstream ransomware attacks, including a high-impact incident at Marquis Software Solutions. In January 2026, Marquis confirmed that its August 2025 ransomware breach, which disrupted services for over 700 U.S. banks and credit unions, stemmed from attackers exploiting firewall configuration files stolen from SonicWall’s compromised cloud backup service. The threat actors bypassed Marquis’ firewall using credentials and network topology details extracted from the backup files, contradicting earlier theories that unpatched SonicWall devices were the initial attack vector. Marquis is pursuing recoupment of response costs from SonicWall, citing the breach as a root cause. The original SonicWall incident began as a targeted compromise of its MySonicWall portal, initially reported to affect fewer than 5% of cloud backup users but later revised to confirm *all* customers using the service had configuration files accessed. These files contained AES-256-encrypted credentials and device settings, enabling follow-on attacks. While SonicWall collaborated with Mandiant to attribute the breach to state-sponsored actors and released remediation tools, the Marquis case marks the first public confirmation of the stolen data being weaponized in a large-scale ransomware campaign. Earlier waves of exploitation included Akira ransomware abusing stolen OTP seeds to bypass MFA on SonicWall VPNs and UNC6148 deploying OVERSTEP malware on SMA 100 series devices. Over 950 unpatched SMA1000 appliances remain exposed online, heightening risks for enterprises and critical infrastructure. SonicWall continues to urge firmware updates, credential resets, and MFA enforcement, though the Marquis incident underscores the long-tail risks of exposed configuration data even after initial containment.

Timeline

  1. 17.12.2025 19:44 1 articles · 1mo ago

    SonicWall discloses SMA1000 zero-day attack chain with privilege escalation and RCE

    SonicWall warned of a zero-day attack chain targeting the SMA1000 Appliance Management Console (AMC), involving CVE-2025-40602 (medium-severity local privilege escalation) and CVE-2025-23006 (critical-severity pre-authentication deserialization). Attackers chained these flaws to execute arbitrary OS commands with root privileges under specific conditions. CVE-2025-23006 was patched in build version 12.4.3-02854 and higher (released January 22, 2025), but unpatched SMA1000 appliances remain at risk. Shadowserver tracks over 950 exposed SMA1000 devices online, heightening risks for enterprises, governments, and critical infrastructure. SonicWall PSIRT strongly advises upgrading to the latest hotfix release to address the vulnerabilities. This attack chain does not affect SSL-VPN services on SonicWall firewalls.

    Show sources
    Open in new tab
  2. 11.10.2025 16:30 1 articles · 3mo ago

    Over 100 SonicWall SSL VPN accounts compromised in widespread attack

    Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The activity commenced on October 4, 2025, and originated from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking this compromise to the previously reported breach of MySonicWall accounts.

    Show sources
    Open in new tab
  3. 09.10.2025 14:10 5 articles · 3mo ago

    SonicWall releases remediation tools and guidance for impacted customers

    SonicWall has advised organizations using the MySonicWall cloud configuration backup service to reset credentials, restrict WAN management, revoke external API keys, monitor logins, and enforce MFA. Organizations are also advised to consider the use of valid credentials rather than brute-forcing.

    Show sources
    Open in new tab
  4. 24.09.2025 16:00 1 articles · 4mo ago

    UNC6148 deploys OVERSTEP malware on SonicWall SMA devices

    The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819.

    Show sources
    Open in new tab
  5. 23.09.2025 16:15 2 articles · 4mo ago

    SonicWall releases firmware update to remove rootkit malware from SMA 100 devices

    The OVERSTEP malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware allows attackers to remove log entries to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

    Show sources
    Open in new tab
  6. 18.09.2025 17:12 3 articles · 4mo ago

    Akira ransomware group targets unpatched SonicWall devices

    Akira ransomware group bypasses MFA on SonicWall VPN accounts using previously stolen OTP seeds. The group employs Impacket SMB session setup requests, RDP logins, and Active Directory enumeration tools. They target Veeam Backup & Replication servers to extract and decrypt stored credentials. Additionally, the attackers employ BYOVD attacks to disable endpoint protection processes, allowing the ransomware to run without being blocked. This activity impacts devices running SonicOS 7.3.0, the recommended release for mitigating credential attacks.

    Show sources
    Open in new tab
  7. 17.09.2025 19:23 10 articles · 4mo ago

    SonicWall MySonicWall breach exposes firewall configuration files

    The breach affected all customers using the cloud backup service, with exposed files containing AES-256-encrypted credentials and configuration data. Users could verify impacted devices via the MySonicWall portal under 'Product Management → Issue List.' SonicWall initially reported fewer than 5% of customers were affected but later confirmed 100% of cloud backup users were compromised. *Update:* In January 2026, **Marquis Software Solutions**—a financial services provider to over 700 U.S. banks and credit unions—publicly attributed its **August 2025 ransomware breach** to threat actors exploiting the stolen configuration files. The attackers used extracted data (including credentials and network details) to circumvent Marquis’ firewall, debunking earlier theories that an unpatched SonicWall device was the initial vector. Marquis is now evaluating legal action against SonicWall to recoup incident response costs, marking the first confirmed case of the breach enabling a large-scale ransomware campaign.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Marquis Software Solutions Ransomware Attack Exposes Data from 74 US Financial Institutions

Marquis Software Solutions, a financial software provider, suffered a ransomware attack on August 14, 2025, through a compromised SonicWall firewall. The breach impacted over 74 US banks and credit unions, exposing personal information of approximately 400,000 customers. The stolen data includes names, addresses, phone numbers, Social Security numbers, financial account information, and dates of birth. Marquis has since taken steps to enhance its security measures, but there is no evidence of data misuse or publication. The attack is suspected to be linked to the Akira ransomware gang, which has been targeting SonicWall VPN devices.

Open in new tab

Cyber Incident Affects Multiple London Councils

Multiple local authorities in London, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council (WCC), are responding to a serious cybersecurity incident identified on Monday morning. The incident has impacted several systems, including phone lines, and both councils have notified the UK Information Commissioner’s Office (ICO) and are working with the National Cyber Security Centre (NCSC) on incident response. RBKC and WCC share IT systems and services, which may explain the simultaneous impact. Hammersmith and Fulham Council is also reportedly affected. RBKC confirmed that some data has been copied and taken away, potentially impacting historical data. The councils have invoked business continuity and emergency plans to ensure critical services are maintained, focusing on supporting the most vulnerable residents. RBKC's IT team worked throughout the night to implement mitigations. Additionally, Hackney Council raised internal cybersecurity threat levels to 'critical' and warned staff about phishing attacks, despite not being directly affected by this incident. RBKC expects at least two weeks of continued disruption as they bring services back online. Westminster City Council confirmed the disruption would last for several weeks, though most services are still running. Hammersmith and Fulham Council has taken steps to isolate and safeguard its networks, with some systems still unavailable.

Open in new tab

Sensitive Data Exposed via Publicly Accessible Code-Formatting Tools

Over 80,000 JSON snippets containing sensitive credentials, authentication keys, and configuration data from organizations in critical sectors were exposed through the Recent Links feature of JSONFormatter and CodeBeautify. The data, totaling over 5GB, included Active Directory credentials, database and cloud credentials, private keys, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, and personally identifiable information (PII). Researchers found that threat actors actively scanned and accessed this exposed data, with some organizations failing to remediate the issue. The exposed data impacted sectors such as government, banking, healthcare, and cybersecurity, with some credentials linked to major financial exchanges and managed security service providers (MSSPs). The Recent Links feature, which lacks access controls, allows anyone to scrape the data using predictable URLs. Researchers also set up a honeypot to confirm that threat actors were actively scanning for sensitive information, with access attempts recorded even after the links had expired. Both JSONFormatter and CodeBeautify have temporarily disabled the save functionality in response to the research, claiming they are working on enhanced NSFW content prevention measures.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab