SonicWall VPN MFA Bypass: Patching Alone Isn't Enough

Key Takeaways

• Firmware updates alone don't fix CVE-2024-12802 on SonicWall Gen6 devices. Manual LDAP reconfiguration is required.
• Attackers are exploiting this gap to bypass MFA, conduct reconnaissance, and deploy ransomware tools within 30-60 minutes.
• Gen7 and Gen8 devices only need the firmware update. Gen6 requires additional steps including deleting LDAP configurations.

The Incomplete Patch Problem

Security researchers at ReliaQuest have documented what they believe is the first in-the-wild exploitation of CVE-2024-12802. The vulnerability allows attackers to bypass multi-factor authentication on SonicWall SSL-VPN appliances. The catch: many organizations think they're protected because they installed the firmware update. They're not.

SonicWall's own security advisory warns that on Gen6 devices, the firmware update alone does not fully mitigate the vulnerability. Administrators must also manually reconfigure their LDAP server settings. Without this step, MFA protection can be bypassed entirely.

ReliaQuest responded to multiple intrusions between February and March 2026. In each case, the devices appeared patched because they ran updated firmware. But the required remediation steps had not been completed, leaving the door wide open.

How the Attacks Unfold

The attack pattern is methodical. Threat actors brute-force VPN credentials, then exploit CVE-2024-12802 to bypass MFA. Once inside, they work fast. ReliaQuest observed attackers taking between 30 and 60 minutes to log in, conduct network reconnaissance, test credential reuse on internal systems, and log out.

In one incident, an attacker reached a domain-joined file server in just 30 minutes. They then established a remote connection over RDP using a shared local administrator password. The goal: deploy Cobalt Strike, a post-exploitation framework commonly used for command-and-control communication in ransomware operations.

The attackers also attempted to load a vulnerable driver. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), aims to disable endpoint protection. In the documented incident, the organization's EDR solution blocked both the Cobalt Strike beacon and the driver loading attempt.

Initial Access Broker Suspected

The attack behavior suggests these aren't the ransomware operators themselves. ReliaQuest observed attackers deliberately logging out and then returning days later, sometimes using different accounts. This pattern points to an initial access broker. These actors specialize in compromising networks and selling that access to ransomware groups.

SonicWall VPN devices have been ransomware targets before. Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled. The exact method was never confirmed, but CVE-2024-12802 may explain how.

The Root Cause

CVE-2024-12802 exists because of a missing MFA enforcement for the User Principal Name (UPN) login format. An attacker with valid credentials can authenticate directly using UPN format and skip the MFA challenge entirely. The firmware update fixes the code. The LDAP reconfiguration clears cached authentication paths that can still bypass the fix.

Gen7 and Gen8 SonicWall devices don't have this problem. On those models, updating the firmware fully removes the vulnerability. The extra steps only apply to Gen6 hardware.

Required Remediation Steps for Gen6

If you're running SonicWall Gen6 SSL-VPN appliances, patching the firmware is step one, not the finish line. SonicWall's advisory details the required manual steps:

1. Update to the latest firmware version
2. Delete the existing LDAP configuration that uses userPrincipalName in the "Qualified login name" field
3. Remove locally cached/listed LDAP users
4. Remove the configured SSL VPN settings tied to the old LDAP configuration
5. Recreate the LDAP and SSL VPN configurations from scratch

Skipping any of these steps leaves the vulnerability exploitable. The devices will show updated firmware versions. Security scans may report them as patched. But attackers can still bypass MFA.

What to Do Now

Check every SonicWall Gen6 device in your environment. Verify that both the firmware update and the LDAP reconfiguration have been completed. If you updated the firmware but skipped the manual steps, your devices are still vulnerable.

Review VPN logs for unusual patterns. The 30-60 minute reconnaissance window followed by logout is a red flag. Multiple login attempts with different accounts over several days is another indicator of initial access broker activity.

If you're evaluating hardware refresh cycles, note that Gen7 and Gen8 devices don't require the extra remediation steps. The firmware-only fix may be worth factoring into upgrade decisions.

Frequently Asked Questions

Why doesn't the SonicWall firmware update fix CVE-2024-12802 completely?

On Gen6 devices, cached LDAP configurations can still allow UPN-format authentication to bypass MFA even after the code fix. Manual deletion and recreation of LDAP settings is required to close this path.

Are SonicWall Gen7 and Gen8 devices affected the same way?

No. Gen7 and Gen8 devices only require the firmware update. The additional LDAP reconfiguration steps apply only to Gen6 hardware.

How can I tell if my SonicWall device was exploited?

Look for VPN logins followed by rapid internal reconnaissance, RDP connections using shared credentials, and deliberate logouts followed by returns days later. ReliaQuest observed 30-60 minute activity windows.

What is the Bring Your Own Vulnerable Driver (BYOVD) technique?

Attackers load a legitimate but vulnerable driver onto the system, then exploit that driver to disable security tools like EDR. It's a common tactic in ransomware attacks to neutralize endpoint protection.

Is this vulnerability being used in ransomware attacks?

The observed activity suggests initial access brokers are using this exploit to gain network access, which they then sell to ransomware groups. Akira ransomware previously targeted SonicWall VPNs with similar MFA bypass techniques.

Source: BleepingComputer