Hackers Bypass SonicWall Gen6 VPN MFA via Incomplete Patch for CVE‑2024‑12802
What Happened — Threat actors brute‑forced credentials and exploited CVE‑2024‑12802 on SonicWall Gen6 SSL‑VPN appliances, bypassing multi‑factor authentication (MFA) despite the firmware being updated. The attackers performed rapid reconnaissance, accessed internal file servers, and attempted to deploy Cobalt Strike beacons before endpoint protection blocked them.
Why It Matters for TPRM —
- In‑complete remediation leaves “patched” devices vulnerable, exposing third‑party networks to credential‑theft and ransomware footholds.
- MFA bypass undermines a core security control many organizations rely on when evaluating vendors.
- The incident demonstrates that vendor advisories may require manual configuration steps beyond simple firmware upgrades.
Who Is Affected — Enterprises using SonicWall Gen6 SSL‑VPN appliances (financial services, healthcare, SaaS providers, government agencies, etc.).
Recommended Actions —
- Verify that SonicWall Gen6 devices have both the latest firmware and the required LDAP re‑configuration per SonicWall advisory.
- Conduct a focused audit of VPN MFA implementations across all third‑party connections.
- Deploy network‑level monitoring for anomalous VPN logins and enforce strict credential rotation.
Technical Notes — The vulnerability stems from a missing MFA enforcement for the UPN login format, allowing valid credentials to authenticate without MFA. Exploitation required only a brute‑forced credential set; no additional zero‑day exploit. Attackers used Cobalt Strike and a BYOVD driver, which were blocked by existing EDR. Source: BleepingComputer