Hackers bypass SonicWall VPN MFA due to incomplete patching

At a glance:

• Threat actors exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances, bypassing MFA and deploying ransomware tools.
• A firmware update alone is insufficient; administrators must manually reconfigure LDAP settings to fully remediate.
• ReliaQuest observed intrusions between February and March 2025, with attackers logging in within 30-60 minutes and conducting reconnaissance.

What happened

ReliaQuest researchers responded to multiple intrusions between February and March 2025 where attackers brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances. The hacker took between 30 and 60 minutes to log in, perform network reconnaissance, test credential reuse on internal systems, and log out. In one incident, the attacker reached a domain-joined file server within half an hour and established a remote connection over RDP using a shared local administrator password.

The researchers assessed with medium confidence that this was the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments. Although the devices appeared patched (running updated firmware), they remained vulnerable because the required remediation steps had not been completed. The threat actor also attempted to deploy a Cobalt Strike beacon and a vulnerable driver using the Bring Your Own Vulnerable Driver (BYOVD) technique, but an endpoint detection and response (EDR) solution blocked both.

Why it matters

SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability; a manual reconfiguration of the LDAP server is required. Failing to do so leaves MFA protection bypassable. On Gen7 and Gen8 devices, simply updating firmware removes the risk entirely. However, Gen6 SSL-VPN appliances reached end-of-life on April 16, 2025, and no longer receive security updates, leaving administrators with a critical decision to migrate or fully remediate.

The vulnerability allows attackers with valid credentials to authenticate directly by using the UPN login format, bypassing MFA. ReliaQuest noted that log entries still appeared as a normal MFA flow, misleading defenders. Key indicators include the sess="CLI" signal (suggesting scripted/automated authentication), event IDs 238 and 1080, and VPN logins from suspicious VPS/VPN infrastructure. Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled, though the method was not confirmed.

Addressing CVE-2024-12802

To fully remediate CVE-2024-12802 on Gen6 SonicWall devices, administrators must update the firmware and then follow these manual steps detailed in the vendor’s advisory:

1. Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field.
2. Remove locally cached/listed LDAP users.
3. Remove the configured SSL VPN “User Domain” (reverts to LocalDomain).
4. Reboot the firewall.
5. Recreate the LDAP configuration without userPrincipalName in “Qualified login name”.
6. Create a fresh backup to avoid restoring the vulnerable LDAP configuration later.

ReliaQuest has high confidence that the attacker behind the analyzed intrusions gained initial access by exploiting this vulnerability across multiple sectors and geographies. Given that Gen6 appliances are now end-of-life, migrating to Gen7 or Gen8 devices is strongly recommended. Organizations still using Gen6 should prioritize the manual LDAP reconfiguration and consider accelerated migration plans to avoid long-term exposure.