Vendor-Hosted Backups and Insecure API Changes Created a Systemic SonicWall Vulnerability

Executive summary – what changed and why it matters

Thesis: Vendor-hosted backups combined with insecure API changes created systemic risk that transcended individual customers, as alleged in Marquis’s lawsuit against SonicWall.

On February 23, 2026, fintech provider Marquis filed suit in the U.S. District Court for the Eastern District of Texas, contending that a February 2025 code change in SonicWall’s MySonicWall API exposed customer firewall backups—complete with VPN credentials and emergency “scratch” codes—to unauthenticated retrieval. Marquis alleges that threat actors leveraged this systemic design weakness to bypass perimeter controls in August 2025, deploying ransomware and exfiltrating personally identifiable information (PII) for at least 400,000 individuals.

Key takeaways

• Alleged attack chain: stolen SonicWall cloud backups (configuration files, VPN keys, scratch codes) provided a blueprint to defeat perimeter defenses.
• Timeline and scope: SonicWall publicly disclosed its breach on September 17, 2025—initially noting fewer than 5% of backup users affected, then acknowledging complete exfiltration of all customer backups.
• Core technical allegation: Marquis asserts that a February 2025 API update removed authentication controls on backup retrieval, enabling attacks by iterating predictable firewall serial numbers.
• Vendor dispute: SonicWall disputes a direct causal link to Marquis’s ransomware incident, stating it has “no new evidence” tying the two events; the complaint and vendor statements frame key facts as contested.
• Systemic stakes: cloud-hosted backup designs and API change practices can create cross-customer vulnerabilities with cascading regulatory, contractual and remediation burdens.

Breaking down the allegation

The complaint describes backup files stored on Amazon Web Services that included full firewall rule sets, stored credentials, VPN configurations and emergency passcodes. Marquis alleges that, once downloaded by guessing device serial numbers, those files let attackers impersonate legitimate appliances or present valid credentials to Marquis’s firewalls. The suit attributes this to a February 2025 API modification that allegedly removed authentication checks for backup downloads.

SonicWall has acknowledged the October 2025 expansion of its breach disclosure—publicly conceding full exfiltration of backups—but the company’s January 2026 statements insist that a definitive, forensic link to downstream ransomware incidents remains unproven. Third-party probes and discovery in the lawsuit are expected to illuminate which elements of the API change and design process contributed to the claimed vulnerability.

Vendor design patterns and systemic consequences

The SonicWall dispute highlights recurring vendor design options: some network providers implement customer-managed encryption keys (BYOK) for backups and enforce mutual TLS or multi-factor authentication on API endpoints, while others centralize key management and rely on vendor-side credentials. When authentication is weak or absent, backup repositories become high-value targets that, if breached, can expose configuration secrets at scale.

Marquis’s allegations suggest that design decisions—such as permitting unauthenticated download based on predictable device identifiers—can cascade into multi-customer incidents. Observed mitigation patterns among affected operators include key rotation, credential revocation and segmentation of backup storage; absence of such measures may prolong remediation efforts and increase regulatory scrutiny.

Regulatory and litigation implications

Financial institutions face layered obligations under GLBA and state breach notification laws when customer PII is compromised. Marquis has reported notifying at least 400,000 individuals and anticipates further disclosures as discovery proceeds. Litigation costs may encompass forensic investigation, class-action exposure and insurance disputes over vendor-caused breach coverage.

What to watch next

The court will address SonicWall’s motions on causation and scope, while discovery may surface internal communications and technical artifacts regarding the February 2025 API change. Independent security researchers are likely to analyze the MySonicWall API for serial-number predictability, and regulators may probe cloud backup practices in network device management more broadly.