SonicWall VPN Hackers Bypass MFA Due to Incomplete Patches
▼ Summary
– Threat actors exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA and deploy ransomware tools.
– Installing the firmware update alone does not fix the vulnerability; a manual LDAP reconfiguration is required to prevent MFA bypass.
– In one intrusion, the hacker accessed the internal network within 30 minutes and attempted to deploy a Cobalt Strike beacon and a vulnerable driver.
– The attacker likely acted as an initial access broker, logging in deliberately and using different accounts over multiple days.
– ReliaQuest identified that MFA bypasses appear as normal logins in logs, with “sess=CLI” being a key indicator of scripted attacks.
Threat actors have been observed successfully bypassing multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances by exploiting incomplete patches, using brute-forced credentials to gain access and deploy ransomware tools. In these intrusions, the attacker completed the entire process,from login to network reconnaissance and credential testing on internal systems,within 30 to 60 minutes before logging out.
SonicWall’s security advisory for CVE-2024-12802 clarifies that simply installing the firmware update on Gen6 devices is insufficient. Administrators must also manually reconfigure the LDAP server; otherwise, the vulnerability remains exploitable, allowing attackers to circumvent MFA. Researchers at ReliaQuest investigated multiple breaches between February and March, assessing with medium confidence that these were the first in-the-wild exploits of CVE-2024-12802, targeting SonicWall systems across various sectors.
Notably, the affected devices appeared patched because they ran the updated firmware, but the missing remediation steps left them exposed. For Gen7 and Gen8 devices, a firmware update alone fully mitigates the risk.
Exploitation activity observed by ReliaQuest included one incident where the hacker accessed the internal network and reached a domain-joined file server within 30 minutes. They then used a shared local administrator password to establish a remote desktop connection. The attacker attempted to deploy a Cobalt Strike beacon for command-and-control communication and a vulnerable driver to disable endpoint protection via the Bring Your Own Vulnerable Driver (BYOVD) technique. However, the installed EDR solution blocked both the beacon and the driver.
The attacker’s pattern of deliberate logouts and re-logins days later, sometimes with different accounts, suggests they are an initial access broker selling access to threat groups. This mirrors tactics seen last year when the Akira ransomware gang targeted SonicWall SSL VPNs, though their bypass method was unconfirmed.
Addressing CVE-2024-12802 requires a specific process on Gen6 devices. The vulnerability stems from missing MFA enforcement for the UPN login format, enabling attackers with valid credentials to authenticate directly without MFA. Administrators must update firmware, then follow these steps: delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field, remove cached LDAP users, remove the configured SSL VPN “User Domain” (reverting to LocalDomain), reboot the firewall, recreate the LDAP configuration without userPrincipalName, and create a fresh backup to avoid restoring the vulnerable setup.
ReliaQuest has high confidence that the same threat actor exploited CVE-2024-12802 across multiple sectors and geographies. Logs from these intrusions still showed normal MFA flows, misleading defenders into believing MFA worked. Key indicators include the sess=”CLI” signal, suggesting automated VPN authentication, along with event IDs 238 and 1080, and VPN logins from suspicious VPS or VPN infrastructure.
Since Gen6 SSL-VPN appliances reached end-of-life on April 16, 2026, and no longer receive security updates, upgrading to actively supported versions is strongly recommended.
(Source: BleepingComputer)
