Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit SonicWall VPN Flaw to Bypass MFA

Brightly-lit network operations room with equipment racks and cables, laptop screen blurred in foreground.

"with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments," ReliaQuest researchers wrote.

ReliaQuest’s assessment of the intrusions

Researchers at ReliaQuest investigated multiple intrusions between February and March and concluded that threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL‑VPN appliances. The company says attackers moved quickly: in the incidents reviewed, a threat actor took between 30 and 60 minutes to log in, perform network reconnaissance, test credential reuse on internal systems, and log out. In one case the intruder reached a domain‑joined file server in as little as half an hour and then established an RDP connection using a shared local administrator password.

How CVE-2024-12802 enabled MFA bypass

The vulnerability tracked as CVE-2024-12802 is caused by a missing MFA enforcement for the UPN login format. That gap allowed an attacker possessing valid credentials to authenticate directly and bypass the MFA requirement. ReliaQuest reported that in the environments they examined the VPN devices appeared patched — running the updated firmware — yet remained exploitable because the vendor’s required remediation steps were not completed.

Why Gen6 devices remained vulnerable and how to fix them

SonicWall warned that installing the firmware update alone on Gen6 devices does not fully mitigate CVE-2024-12802; administrators must perform a manual LDAP reconfiguration to restore MFA enforcement for UPN-based logins. The vendor’s advisory prescribes these steps:

  • Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field
  • Remove locally cached/listed LDAP users
  • Remove the configured SSL VPN “User Domain” (reverts to LocalDomain)
  • Reboot the firewall
  • Recreate the LDAP configuration without userPrincipalName in “Qualified login name”
  • Create a fresh backup to avoid restoring the vulnerable LDAP configuration later

By contrast, SonicWall says that on Gen7 and Gen8 devices simply updating to a newer firmware version is enough to fully remove the risk from exploiting CVE-2024-12802.

Signals defenders should hunt for

ReliaQuest highlighted several forensic and telemetry clues that can help defenders spot exploitation attempts. The sess="CLI" signal is a key indicator, suggesting scripted or automated VPN authentication. Other strong signals include event IDs 238 and 1080 and VPN logins originating from suspicious VPS/VPN infrastructure. The researchers added that rogue login attempts often appeared in logs as a normal MFA flow, which could mislead defenders into believing MFA had worked even when it had failed.

What this means for administrators, procurement teams, and defenders

  • Administrators: Follow the vendor’s remediation steps after applying the Gen6 firmware update; removing and recreating LDAP settings without userPrincipalName in the “Qualified login name” and creating a fresh backup are required to close the bypass.
  • Procurement teams: Note that Gen6 SSL‑VPN appliances reached end‑of‑life on April 16 of this year and no longer receive security updates; the advisory recommends moving to more recent, actively supported versions.
  • Defenders and incident responders: Look for the sess="CLI" indicator, event IDs 238 and 1080, and VPN logins from suspicious infrastructure. ReliaQuest’s timeline and behavior — deliberate logout and subsequent logins days later using different accounts — also suggest operators who sell initial access to other threat groups.

Malware and mitigation observed during intrusions

During the investigated intrusions the attacker attempted to deploy a Cobalt Strike beacon and a vulnerable driver, likely intended to disable endpoint protection using a Bring Your Own Vulnerable Driver (BYOVD) technique. An installed endpoint detection and response (EDR) solution blocked the beacon and the loading of the driver. Based on the observed pattern — scripted authentication, quick reconnaissance, and later repeat logins sometimes with different accounts — ReliaQuest believes the actor is likely a broker selling initial access to other ransomware groups. The report also notes that last year the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled, though the method in that case was not confirmed.

The concrete lesson from these incidents is straightforward: when a vendor advisory requires manual remediation steps in addition to a firmware update, skipping that manual work can leave systems exposed. For Gen6 customers that exposed window is particularly acute because the appliances reached end‑of‑life on April 16 and no longer receive security updates; for Gen7 and Gen8 customers, firmware updates alone are sufficient, according to SonicWall.

Read the original reporting at BleepingComputer: Hackers bypass SonicWall VPN MFA due to incomplete patching.