Attackers Bypass MFA on SonicWall Gen6 VPNs Exploiting CVE‑2024‑12802, Leading to Ransomware Intrusions
What Happened — Researchers observed the first in‑the‑wild exploitation of CVE‑2024‑12802 on SonicWall Gen6 SSL‑VPN appliances. The flaw allows authentication bypass of MFA when the LDAP configuration is not fully remediated, enabling brute‑force attacks that lead to ransomware‑related intrusions.
Why It Matters for TPRM —
- MFA bypass defeats a core security control many third‑party vendors rely on.
- Incomplete patching workflows leave “fixed” devices vulnerable, increasing supply‑chain risk.
- Rapid post‑compromise movement (file‑server access in <30 min) shows high impact potential for client environments.
Who Is Affected — Organizations using SonicWall Gen6 VPN appliances across finance, healthcare, technology, and other sectors; MSPs that manage these devices for customers.
Recommended Actions — Verify that SonicWall devices have not only the latest firmware but also the six manual remediation steps applied; audit LDAP configurations for lingering UPN entries; enforce monitoring of automated VPN authentication sessions; consider temporary MFA enforcement via alternative mechanisms.
Technical Notes — The vulnerability stems from separate MFA enforcement for UPN and SAM login formats. Patch removes the firmware bug but leaves the LDAP config that permits UPN‑based bypass. Attackers brute‑force credentials (as few as 13 attempts) and then move laterally, deploying ransomware staging tools. Source: SecurityAffairs