The recent breach involving Marquis Software Solutions, affecting 74 U.S. banks and credit unions and exposing data from more than 400,000 customers, highlights how quickly attackers weaponize vulnerabilities in widely deployed security appliances. While Marquis has confirmed the intrusion occurred through its SonicWall firewall, the specific vulnerability used has not been publicly identified.
What is clear, however, is that ransomware groups have been actively targeting SonicWall devices using multiple vulnerabilities already recognized in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
SonicWall VPN and Firewall Exploits: An Ongoing Threat
Two SonicWall vulnerabilities have been heavily abused in the wild over the past year:
- CVE-2024-40766 – Previously exploited to steal usernames, passwords, and one-time passcode seeds from SonicWall SSL VPN appliances. Attackers used these credentials to access environments even when MFA was enabled.
- CVE-2024-53704 – An authentication bypass affecting SonicOS that was rapidly weaponized once public exploit code became available. This KEV-listed flaw enables attackers to access sensitive VPN functions without proper authentication.
Ransomware operators have built repeatable intrusion playbooks around these issues: gain VPN access, escalate privileges, collect data, and deploy ransomware. This activity predates and continues beyond the Marquis incident.
Because both vulnerabilities are actively exploited in the wild and linked to similar attack behaviors, they remain key risks for organizations relying on SonicWall devices, regardless of which specific flaw was used in the Marquis intrusion.
How the Marquis Incident Fits the Larger Pattern
On August 14, 2025, attackers breached Marquis Software Solutions via their SonicWall firewall and stole files containing customer data from dozens of financial institutions. The exposed information includes:
- Social Security numbers and Taxpayer Identification Numbers
- Financial account data
- Customer contact information
- Dates of birth
There is no indication that the financial institutions themselves were at fault. The breach occurred upstream, through a vendor’s compromised perimeter device, an increasingly common supply-chain attack scenario.
The Importance of Rapid KEV Alignment
When CISA adds a SonicWall vulnerability to the KEV catalog, it means attackers are already exploiting it in the wild. Because SonicWall appliances sit at the network edge, they are prime targets for credential theft, MFA bypass, and privilege escalation.
This makes immediate validation critical.
Not just patching validation.
- Patches can be missed or applied incorrectly.
- Credentials can remain valid even after a device is updated.
- MFA seeds can remain compromised.
- Attack paths can stay open despite configuration changes.
Threat actors rely on these gaps long after advisories are released.
How RidgeBot Keeps Organizations Ahead of Actively Exploited Threats
RidgeBot continuously tracks KEV-listed vulnerabilities, including SonicWall CVE-2024-53704, which was delivered as a rapid update in RidgeBot 5.14 as soon as it entered the KEV catalog. This enables exploitation-based validation to confirm whether an environment is actually exposed.
When a vulnerability is added to KEV, it signals that attackers are actively exploiting it in real-world attacks. This makes it essential for organizations to immediately verify that patches are applied correctly, credentials are rotated, and controls are functioning as intended especially for internet-facing devices.
RidgeBot provides the real-time, exploit-level visibility needed to validate exposure to newly added KEV vulnerabilities and ensure these threats are eliminated quickly and effectively.