HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High ThreatIntel

Hackers Bypass SonicWall Gen6 VPN MFA via Incomplete Patch for CVE‑2024‑12802

Threat actors leveraged CVE‑2024‑12802 to bypass MFA on SonicWall Gen6 SSL‑VPN appliances that had been updated but not fully reconfigured. The breach highlights the risk of incomplete vendor patching for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Hackers Bypass SonicWall Gen6 VPN MFA via Incomplete Patch for CVE‑2024‑12802

What Happened — Threat actors brute‑forced credentials and exploited CVE‑2024‑12802 on SonicWall Gen6 SSL‑VPN appliances, bypassing multi‑factor authentication (MFA) despite the firmware being updated. The attackers performed rapid reconnaissance, accessed internal file servers, and attempted to deploy Cobalt Strike beacons before endpoint protection blocked them.

Why It Matters for TPRM

  • In‑complete remediation leaves “patched” devices vulnerable, exposing third‑party networks to credential‑theft and ransomware footholds.
  • MFA bypass undermines a core security control many organizations rely on when evaluating vendors.
  • The incident demonstrates that vendor advisories may require manual configuration steps beyond simple firmware upgrades.

Who Is Affected — Enterprises using SonicWall Gen6 SSL‑VPN appliances (financial services, healthcare, SaaS providers, government agencies, etc.).

Recommended Actions

  • Verify that SonicWall Gen6 devices have both the latest firmware and the required LDAP re‑configuration per SonicWall advisory.
  • Conduct a focused audit of VPN MFA implementations across all third‑party connections.
  • Deploy network‑level monitoring for anomalous VPN logins and enforce strict credential rotation.

Technical Notes — The vulnerability stems from a missing MFA enforcement for the UPN login format, allowing valid credentials to authenticate without MFA. Exploitation required only a brute‑forced credential set; no additional zero‑day exploit. Attackers used Cobalt Strike and a BYOVD driver, which were blocked by existing EDR. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →