Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial Services

Breached Company

Breached Company

18 min read
Marquis Ransomware Breach: When Third-Party Vendors Become the Weakest Link in Financial Services

A comprehensive analysis of the August 2025 attack that exposed nearly 800,000 bank and credit union customers

Executive Summary

In August 2025, Marquis Software Solutions, a Texas-based financial technology vendor serving over 700 banks and credit unions, fell victim to a sophisticated ransomware attack that compromised the personal and financial information of approximately 788,000 customers. The breach occurred on August 14, 2025, when attackers exploited a vulnerability in the company's SonicWall firewall to gain unauthorized access to sensitive customer data. This incident serves as a stark reminder of the systemic risks posed by third-party vendor concentration in the financial services sector.

The Breach Timeline

August 14, 2025: Attackers breach Marquis Software Solutions' network through a SonicWall firewall vulnerability
Same Day: Company detects suspicious activity and takes affected systems offline
October 27, 2025: Financial institutions begin receiving breach notifications
Late November/Early December 2025: Public disclosure through Attorney General filings in multiple states
Ongoing: Investigation continues, with no evidence of data appearing on the dark web as of early December 2025

What Data Was Compromised?

The stolen information represents a comprehensive profile of victims' financial identities:

  • Full names and physical addresses
  • Social Security numbers (SSNs)
  • Taxpayer Identification Numbers (TINs)
  • Dates of birth
  • Phone numbers
  • Financial account information (excluding security codes or access credentials)
  • Credit and debit card numbers

This combination of personally identifiable information (PII) and financial data creates significant identity theft risks for affected individuals.

Scale of Impact: 74+ Financial Institutions Affected

According to data breach notifications filed with state Attorney General offices across Maine, Iowa, Texas, Massachusetts, New Hampshire, South Carolina, and Washington, at least 74 banks and credit unions were impacted. However, given that Marquis serves over 700 financial institutions nationwide, the actual scope may be broader.

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America’s Most Critical Network Infrastructure
$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can’t Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero for both
Breached CompanyBreached Company

The affected institutions represent a cross-section of community banks and credit unions that rely on Marquis for:

  • Data analytics and business intelligence
  • Customer relationship management (CRM) tools
  • Compliance reporting and regulatory documentation
  • Digital marketing services

The Technical Attack Vector: SonicWall - But Which Vulnerability?

Critical Clarification: Marquis has only confirmed that attackers breached their network "through its SonicWall firewall" on August 14, 2025. The company has not disclosed which specific vulnerability was exploited. What follows is security researcher speculation based on attack patterns and timing—not confirmed facts.

The Speculation: Two Leading Theories

Security researchers have proposed two primary theories about which vulnerability was used:

Theory #1: CVE-2024-40766 (Most Media Coverage)

Most security publications have speculated this is CVE-2024-40766, a critical improper access control vulnerability in SonicWall SonicOS disclosed in August 2024 - approximately one year before the Marquis breach.

This vulnerability, which received a CVSS score of 9.3 (Critical), affects SonicWall's SSL VPN and management access components across multiple device generations:

  • Gen 5 devices: SOHO models running version 5.9.2.14-12o and older
  • Gen 6 devices: TZ, NSA, and SM models running versions 6.5.4.14-109n and older
  • Gen 7 devices: TZ and NSA models running SonicOS build version 7.0.1-5035 and older

Why researchers suspect CVE-2024-40766:

  • Heavily exploited by Akira ransomware throughout 2024-2025
  • Allows attackers to steal VPN credentials, passwords, and OTP seeds
  • Enables persistent access even after patching if credentials aren't rotated
  • Timeline matches known Akira campaigns
  • Marquis's post-breach remediation (MFA, geo-blocking, credential rotation) suggests VPN compromise

The critical timing issue: If this was indeed the vulnerability used, it means Marquis was breached using a year-old patched vulnerability—a catastrophic patch management failure.

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats Collide
Executive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentials
Security Careers HelpSecurity Careers

Theory #2: CVE-2024-53704 (Technical Analysis)

However, Lydia Zhang, President of Ridge Security, argues the breach is more closely related to CVE-2024-53704, a different SonicWall SSL VPN vulnerability:

"This recent attack was more closely related to CVE-2024-53704 rather than CVE-2024-40766. The '53704' SonicWall SSL VPN vulnerability leaks the swap cookie and session ID, which lets a remote attacker bypass authentication and take over an existing session."

CVE-2024-53704 details:

  • Disclosed officially: January 7, 2025 (but may have been exploited as zero-day earlier)
  • CVSS Score: 9.8 (Critical)
  • Allows session hijacking without credentials
  • Affects TZ, NSa, NSsp, and NSv series firewalls
  • Added to CISA KEV: February 18, 2025

The timing problem with this theory: CVE-2024-53704 wasn't publicly disclosed until January 2025, but the Marquis breach occurred in August 2025. This could mean:

  1. Attackers discovered it as a zero-day and used it months before disclosure
  2. It was already being exploited in the wild before the January disclosure
  3. The researcher is incorrect and it was actually CVE-2024-40766

What We Actually Know

Confirmed facts:

  • Attackers breached through a SonicWall firewall
  • The attack occurred August 14, 2025
  • Marquis implemented post-breach controls suggesting VPN/authentication compromise
  • Attack patterns resemble Akira ransomware techniques

Speculation/unconfirmed:

  • Which specific CVE was exploited
  • Whether Akira ransomware was responsible
  • Whether a ransom was paid

The broader truth: Regardless of which vulnerability was used, Marquis was running vulnerable SonicWall equipment that should have been either patched, properly configured, or replaced. The specific CVE almost doesn't matter—the fundamental security failure is the same.

SonicWall's Four-Year Security Nightmare: A History of Exploitation (2021-2025)

To understand the Marquis breach, we need context: SonicWall has been a ransomware attacker's favorite target for four years straight. This isn't a one-off incident—it's part of a systematic, ongoing exploitation of SonicWall products that has affected hundreds of organizations globally.

Check Point’s Zero-Day Paradox: The Security Company That Couldn’t Secure Itself
How the firm documenting 2025’s 47% attack surge became a victim of its own research—and why CVE-2024-24919 reveals systemic firewall vendor failures Executive Summary In a stunning display of irony, Check Point Software—the cybersecurity vendor that publishes the industry’s most comprehensive threat intelligence reports—suffered a critical zero-day
Breached CompanyBreached Company

The Grim Statistics

  • 14 SonicWall CVEs on CISA's Known Exploited Vulnerabilities (KEV) catalog since late 2021
  • 8 of those 14 confirmed used in ransomware campaigns
  • 4 actively exploited in 2025 alone (as of December 2025)
  • 20+ vulnerabilities publicly disclosed by SonicWall in 2025
  • Notably absent: SonicWall has NOT signed the Secure-by-Design pledge, unlike many competitors

Read more

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America's Most Critical Network Infrastructure

Cisco Under Siege: How Akira Ransomware and Nation-State Actors Are Exploiting America's Most Critical Network Infrastructure

$244 Million in Ransoms, Chinese APT Groups, and Why Federal Agencies Can't Keep Cisco Firewalls Patched Executive Summary While Fortinet and SonicWall have garnered attention for their exploitation crises, Cisco networking equipment—deployed in virtually every major enterprise, government agency, and critical infrastructure organization—has become ground zero

lock-1 By Breached Company
Close Access Operations Foiled: Polish Authorities Arrest Suspected Hackers with Advanced Equipment

Close Access Operations Foiled: Polish Authorities Arrest Suspected Hackers with Advanced Equipment

Warsaw, Poland — In a significant cybersecurity operation, Polish police have detained three Ukrainian nationals carrying sophisticated hacking and surveillance equipment capable of compromising critical national infrastructure. The December 8, 2025 arrests highlight the persistent threat of close-access cyber operations targeting NATO allies in Eastern Europe. The Traffic Stop That Exposed

By Breached Company