CVE-2024-12802 MFA – ReliaQuest says hackers exploited CVE-2024-12802 against SonicWall Gen6 SSL-VPN appliances by brute-forcing credentials and slipping past MFA, even in environments where the devices showed updated firmware. The critical detail: for Gen6, installing the firmwar
By the time the hacker’s session started to look normal on paper, the damage had already begun.
ReliaQuest investigated multiple intrusions between February and March and assessed “with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802. ” targeting SonicWall devices across multiple environments. In those cases. the attacker brute-forced VPN credentials. bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances. then moved with the kind of quiet efficiency that makes incident response feel like chasing shadows.
In at least one observed pattern, the intruder needed only 30 to 60 minutes to complete a cycle of activity: log in, conduct network reconnaissance, test credential reuse on internal systems, and log out.
That timing matters because it matches what defenders dread most—access that doesn’t look exotic. ReliaQuest says the rogue login attempts the team observed still appeared as a normal MFA flow in logs, leading defenders to believe MFA worked even when it failed.
The vulnerability and the patch didn’t match reality for Gen6
SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability. A manual LDAP server reconfiguration is required. If that remediation isn’t completed, the possibility remains of bypassing MFA protection.
ReliaQuest’s findings land squarely on that point. In the environments it investigated, devices appeared to be patched because they were running updated firmware. Yet they remained vulnerable because the required remediation steps had not been finished.
On Gen7 and Gen8 devices, the story is different: simply updating to a newer firmware version is enough to fully remove the risk from exploiting CVE-2024-12802.
CVE-2024-12802 works by leaving a doorway open in how UPN login is enforced. The vulnerability stems from a missing MFA enforcement for the UPN login format—so an attacker with valid credentials can authenticate directly and bypass the MFA requirement.
SonicWall’s Gen6 remediation instructions are specific, and skipping any of them is where the problem can persist. The steps detailed in the vendor’s advisory include:
Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field. Remove locally cached/listed LDAP users. Remove the configured SSL VPN “User Domain” (reverts to LocalDomain). Reboot the firewall. Recreate the LDAP configuration without userPrincipalName in “Qualified login name”. Create a fresh backup to avoid restoring the vulnerable LDAP configuration later.
ReliaQuest says it has high confidence the threat actor behind the analyzed intrusions gained initial access by exploiting CVE-2024-12802 “across multiple sectors and geographies.”
Inside the intrusions: fast access, then tools aimed at ransomware-style operations
Once inside, the intruder didn’t linger in the VPN layer. ReliaQuest says that in one incident. the hacker gained access to the internal network and reached a domain-joined file server in as little as half an hour. They then established a remote connection over RDP using a shared local administrator password.
ReliaQuest also found attempts to deploy a Cobalt Strike beacon, a post-exploitation framework used for command-and-control (C2) communication. The researchers say the attacker also tried to use a vulnerable driver—likely to disable endpoint protection through the Bring Your Own Vulnerable Driver (BYOVD) technique.
But the outcome wasn’t clean. The installed endpoint detection and response (EDR) solution blocked the beacon and the loading of the driver.
Signals that defenders can hunt
One of the most troubling parts of the activity is how it can look legitimate while it’s happening. ReliaQuest notes that the pattern of deliberate log out actions. followed by logging in again days later—sometimes using different accounts—suggests a broker model. selling initial access to threat groups.
To detect this kind of scripted authentication, ReliaQuest points to the sess=”CLI” signal as a key indicator. It also names other strong signals: event IDs 238 and 1080, along with VPN logins from suspicious VPS/VPN infrastructure.
The clock is already running for older appliances
The risk lands harder because Gen6 SSL-VPN appliances have already reached end-of-life this year on April 16 and no longer receive security updates.
ReliaQuest and SonicWall’s own guidance both point in the same direction: defenders should update Gen6 devices with the latest firmware and complete the required remediation steps—and, more broadly, move to more recent, actively supported versions to avoid being trapped by aging systems.
Last year. the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts. but the method was not confirmed. This time, the details of how MFA was bypassed are clearer—because the intrusion wasn’t just about missing updates. It was about a patch that wasn’t enough on its own.
SonicWall CVE-2024-12802 SSL VPN MFA bypass ReliaQuest ransomware Cobalt Strike BYOVD EDR LDAP remediation cybersecurity news
4 Comments