HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Attackers Bypass MFA on SonicWall Gen6 VPNs Exploiting CVE‑2024‑12802, Leading to Ransomware Intrusions

Researchers have confirmed in‑the‑wild exploitation of CVE‑2024‑12802, an authentication bypass in SonicWall Gen6 VPNs that nullifies MFA when LDAP configurations are not fully remediated. The flaw has enabled brute‑force attacks and ransomware‑related intrusions across multiple organizations, highlighting a critical gap in patch‑and‑configure processes for third‑party network security devices.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Attackers Bypass MFA on SonicWall Gen6 VPNs Exploiting CVE‑2024‑12802, Leading to Ransomware Intrusions

What Happened — Researchers observed the first in‑the‑wild exploitation of CVE‑2024‑12802 on SonicWall Gen6 SSL‑VPN appliances. The flaw allows authentication bypass of MFA when the LDAP configuration is not fully remediated, enabling brute‑force attacks that lead to ransomware‑related intrusions.

Why It Matters for TPRM

  • MFA bypass defeats a core security control many third‑party vendors rely on.
  • Incomplete patching workflows leave “fixed” devices vulnerable, increasing supply‑chain risk.
  • Rapid post‑compromise movement (file‑server access in <30 min) shows high impact potential for client environments.

Who Is Affected — Organizations using SonicWall Gen6 VPN appliances across finance, healthcare, technology, and other sectors; MSPs that manage these devices for customers.

Recommended Actions — Verify that SonicWall devices have not only the latest firmware but also the six manual remediation steps applied; audit LDAP configurations for lingering UPN entries; enforce monitoring of automated VPN authentication sessions; consider temporary MFA enforcement via alternative mechanisms.

Technical Notes — The vulnerability stems from separate MFA enforcement for UPN and SAM login formats. Patch removes the firmware bug but leaves the LDAP config that permits UPN‑based bypass. Attackers brute‑force credentials (as few as 13 attempts) and then move laterally, deploying ransomware staging tools. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/192477/hacking/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →