When Marquis Hotels & Resorts discovered that its network had been compromised through a vulnerability in its SonicWall firewall appliance, the hospitality company did what most breach victims do: it scrambled to contain the damage, engaged incident response teams, and began the painful process of recovery. But then Marquis did something far less common — it sued SonicWall, the very vendor whose product was supposed to keep the attackers out.
The lawsuit, filed in federal court, alleges that SonicWall knew about critical vulnerabilities in its firewall products and failed to adequately warn customers or patch the flaws in a timely manner. According to the complaint, this negligence allowed ransomware operators to exploit the weakness, penetrate Marquis’s network, encrypt critical business systems, and demand a ransom payment. The case has sent ripples through the cybersecurity industry, raising uncomfortable questions about vendor accountability when security products themselves become the attack vector, as reported by TechCrunch.
The Breach That Sparked a Legal Battle
The details of the breach paint a grim picture of how modern ransomware gangs operate. According to the lawsuit and reporting by TechCrunch, attackers targeted a known vulnerability in SonicWall’s SMA (Secure Mobile Access) series appliances — devices designed specifically to provide secure remote access to corporate networks. The vulnerability, which had been publicly disclosed months earlier, allegedly remained unpatched on Marquis’s devices because SonicWall had not issued a fix or had failed to communicate the severity of the risk to its customers with sufficient urgency.
Ransomware operators, who have increasingly targeted network edge devices like firewalls and VPN appliances, exploited the flaw to gain initial access. From there, they moved laterally through Marquis’s systems, eventually deploying ransomware that locked down reservation systems, guest data, and operational technology across multiple hotel properties. The financial toll, according to court filings, ran into the millions — encompassing not just the ransom demand itself but business interruption losses, incident response costs, legal fees, regulatory exposure, and reputational harm.
SonicWall’s Troubled Security Track Record
SonicWall, a legacy firewall vendor that has changed ownership multiple times over the years — including stints under Dell and later the private equity firm Francisco Partners — has faced a series of security incidents involving its own products. In January 2021, SonicWall disclosed that it had itself been the victim of a coordinated attack exploiting zero-day vulnerabilities in its products. That incident marked an inflection point, as security researchers began scrutinizing SonicWall appliances more closely.
Since then, multiple critical vulnerabilities have been discovered in SonicWall’s SMA and SRA (Secure Remote Access) product lines. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued multiple advisories urging organizations to patch or retire vulnerable SonicWall devices. In several cases, CISA added SonicWall flaws to its Known Exploited Vulnerabilities (KEV) catalog, a list that federal agencies are required to remediate on strict timelines. Despite these warnings, the Marquis lawsuit alleges that SonicWall’s communication to its direct customers was inadequate, slow, or buried in technical advisories that non-specialist IT teams at companies like hotel chains were unlikely to act on quickly.
The Legal Theory: Can You Sue Your Firewall Vendor?
The Marquis case raises a legal question that the cybersecurity industry has debated for years but rarely tested in court: Can a company hold its security vendor liable when that vendor’s product fails to prevent — or actively enables — a breach? Historically, software vendors have shielded themselves behind end-user license agreements (EULAs) that disclaim liability for security failures and limit damages to the cost of the product itself. Courts have generally upheld these limitations.
But Marquis’s attorneys are advancing a theory that goes beyond simple product liability. The complaint alleges negligence, breach of implied warranty, and — perhaps most significantly — fraudulent concealment. The fraudulent concealment claim asserts that SonicWall was aware of the specific vulnerability being exploited, knew that threat actors were actively targeting it in the wild, and nonetheless failed to take reasonable steps to alert affected customers. If proven, this claim could pierce the protections typically afforded by standard software licensing terms, legal experts say.
Industry Watchers See a Potential Precedent
Cybersecurity attorneys and industry analysts are watching the case closely. “This lawsuit could establish a new baseline for what security vendors owe their customers when they know a product is being actively exploited,” said one cybersecurity attorney who spoke on condition of anonymity because they advise clients in similar disputes. The case arrives at a moment when regulators on both sides of the Atlantic are pushing for greater accountability from software makers. The Biden administration’s 2023 National Cybersecurity Strategy explicitly called for shifting liability toward the entities best positioned to reduce risk — namely, technology vendors. The European Union’s Cyber Resilience Act, which is being phased in, imposes direct obligations on manufacturers of products with digital elements to address known vulnerabilities promptly.
SonicWall, for its part, has not publicly commented on the specifics of the litigation. In past statements regarding vulnerabilities in its products, the company has said it takes security seriously and works to issue patches as quickly as possible. SonicWall has also pointed customers toward its security advisories and recommended best practices, including enabling automatic updates and multi-factor authentication on its appliances.
The Broader Problem of Edge Device Exploitation
The Marquis case also highlights a growing and deeply concerning trend in cybersecurity: the systematic exploitation of network edge devices. Firewalls, VPN concentrators, and remote access gateways sit at the boundary between the public internet and private corporate networks, making them extraordinarily high-value targets. When these devices are compromised, attackers often gain privileged access that bypasses many of the internal security controls organizations have in place.
Recent years have seen a drumbeat of edge device compromises. Vulnerabilities in products from Fortinet, Ivanti (formerly Pulse Secure), Citrix, Barracuda, and Palo Alto Networks have all been exploited by both financially motivated cybercriminals and state-sponsored espionage groups. Mandiant, the Google-owned threat intelligence firm, has documented campaigns by Chinese state-backed hackers who specifically target edge appliances because they often run proprietary or stripped-down operating systems that lack the endpoint detection and response (EDR) tools found on standard servers and workstations.
What This Means for Enterprise Buyers and CISOs
For chief information security officers and IT procurement teams, the Marquis lawsuit is a stark reminder that purchasing a firewall does not transfer risk to the vendor. Even if the legal theory in this case ultimately succeeds, the practical reality is that organizations must treat their edge devices as high-risk assets that require continuous monitoring, rapid patching, and — increasingly — zero-trust architectures that do not rely solely on perimeter defenses.
The case also underscores the importance of contractual protections. Cybersecurity consultants have long advised enterprise buyers to negotiate service-level agreements that include specific commitments around vulnerability disclosure timelines, patch availability, and notification procedures. Standard click-through EULAs rarely contain such provisions, and organizations that rely on default terms may find themselves with limited legal recourse if a product fails catastrophically.
The Stakes for SonicWall and the Security Vendor Market
For SonicWall specifically, the timing of the lawsuit is particularly unwelcome. The company has been working to reposition itself in a competitive market dominated by larger players like Palo Alto Networks, Fortinet, and Cisco. SonicWall has invested in expanding its managed security services and cloud-based offerings, targeting the small and mid-sized business segment where it has traditionally been strongest. A high-profile lawsuit alleging that its flagship product facilitated a ransomware attack could undermine customer confidence at a critical moment.
More broadly, the case could have a chilling — or clarifying — effect on the entire security vendor market. If courts begin holding vendors liable for breaches caused by known, unpatched vulnerabilities in their products, it would create powerful financial incentives for faster patching, more transparent disclosure, and better customer communication. Critics might argue that such liability could also drive up costs and stifle innovation, but proponents counter that the current model, in which vendors externalize the cost of their own security failures onto customers, is unsustainable.
A Test Case for the Age of Vendor Accountability
The Marquis Hotels & Resorts v. SonicWall litigation is still in its early stages, and it could be months or years before any substantive rulings are issued. The case may settle quietly, as many commercial disputes do, or it could proceed to discovery and trial, producing a body of case law that reshapes the relationship between security vendors and their customers. Either way, the lawsuit has already achieved something significant: it has forced an industry-wide conversation about who bears responsibility when the products designed to protect organizations instead become the instruments of their compromise.
As ransomware attacks continue to escalate in frequency and severity, and as the attack surface expands with the proliferation of connected devices and remote work infrastructure, the question of vendor accountability is not going away. The Marquis case may be the first major test, but it is unlikely to be the last.