Back

SonicWall SSL VPN Vulnerability CVE-2024-12802 Actively Exploited Despite Patching

Severity: High (Score: 72.6)

Sources: reliaquest.com, Cybersecuritydive

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: sonicwall, threat, protected, patch, bypass, spotlight, exploitation

Severity indicators: ot

Summary

A wave of attacks exploiting CVE-2024-12802, an authentication bypass vulnerability in SonicWall SSL VPN appliances, began in February 2026. Despite a firmware patch issued in 2025, attackers were able to bypass multifactor authentication (MFA) using brute-force techniques without triggering alerts. ReliaQuest identified multiple incidents where attackers accessed internal networks within minutes, deploying pre-ransomware tools. The vulnerability affects Gen6 devices, which require six additional manual reconfiguration steps for full remediation. SonicWall's advisory did not emphasize these steps, leading to a false sense of security among users. The flaw was rated 6.5 by SonicWall but assessed as critical (9.1) by CISA. The attacks are consistent with tactics used by the Akira ransomware group, which previously targeted SonicWall customers. Gen6 appliances reached end-of-life status on April 16, 2026, meaning they are no longer supported. Key Points: • CVE-2024-12802 allows MFA bypass in SonicWall SSL VPN appliances. • Attackers exploited the vulnerability using brute-force methods without triggering alerts. • Gen6 devices require six additional steps for complete remediation post-patch.

Detailed Analysis

**Impact** Small and medium-sized businesses using SonicWall SSL VPN appliances, particularly Gen6 devices, are affected globally. Exploitation has been observed across multiple environments since February 2026, enabling attackers to gain initial network access and deploy pre-ransomware tools within 30 minutes. The vulnerability reduces VPN security to single-factor authentication, increasing risk to internal systems and sensitive data. Gen6 devices reached end-of-life in April 2026, removing vendor support. **Technical Details** CVE-2024-12802 is an authentication bypass vulnerability in SonicWall SSL VPN appliances that allows attackers to bypass multifactor authentication by exploiting separate handling of User Principal Name and Security Account Manager account names via LDAP integration. Attackers used automated brute-force tools to guess credentials silently, with no failed login alerts, and exploited a specific VPN session type (sess="CLI") associated with automated authentication. The attacks align with ransomware group Akira’s TTPs, targeting Gen6 devices where firmware patches alone do not fully remediate the issue. **Recommended Response** Apply the SonicWall firmware patch and complete all six additional manual reconfiguration steps on Gen6 devices to fully remediate the vulnerability. Enable monitoring for the sess="CLI" session type in VPN logs to detect automated brute-force attempts early. Audit VPN account privileges and verify MFA effectiveness beyond firmware version checks. Organizations still using Gen6 devices should consider upgrading due to end-of-life status and lack of support.

Source articles (2)

  • Threat Spotlight Vpn Exploitation When Patched Doesnt Mean Protected — reliaquest.com · 2026-05-19
    A firmware patch doesn’t always equal full remediation—CVE-2024-12802, an authentication bypass in SonicWall SSL VPN appliances, requires six additional manual reconfiguration steps on Gen6 devices af…
  • Patch bypass allows hackers to exploit prior flaw in SonicWall SSL — Cybersecuritydive · 2026-05-19
    Researchers said a wave of attacks began in February targeting firewalls that appeared to be protected. A threat group has successfully been exploiting a two-year-old vulnerability in SonicWall SSL-VP…

Timeline

  • 2023-10-10 — CVE-2023-4966 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-01-09 — CVE-2024-12802 published: SonicWall disclosed an authentication bypass vulnerability affecting SSL VPN appliances.
  • 2026-02-01 — Exploitation begins: Attackers started exploiting CVE-2024-12802, bypassing MFA in SonicWall devices.
  • 2026-04-16 — Gen6 appliances reach end-of-life: SonicWall announced that Gen6 devices would no longer receive support or updates.
  • 2026-05-19 — ReliaQuest report released: ReliaQuest published findings on the ongoing exploitation of CVE-2024-12802, detailing attack patterns.

CVEs

  • CVE-2023-4966
  • CVE-2024-12802

Related entities

  • Brute Force (Attack Type)
  • Ransomware (Attack Type)
  • Sonicwall (Company)
  • CWE-287 - Improper Authentication (Cwe)
  • error.in (Domain)
  • [email protected] (Email)
  • Cobalt Strike (Malware)
  • 2a461175f181e0440e0ff45d5fb60939 (Md5)
  • 6a6aaeed4a6bbe82a08d197f5d40c259 (Md5)
  • T1021.001 - Remote Desktop Protocol (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1133 - External Remote Services (Mitre Attack)
  • T1562 - Impair Defenses (Mitre Attack)
  • Active Directory (Platform)
  • LDAP (Platform)
  • Lightweight Directory Access Protocol (Platform)
  • Microsoft Active Directory (Platform)
  • SonicWall Ssl-vpn Appliances (Platform)
  • SonicWall SSL VPN Appliances (Platform)
  • Akira (Ransomware Group)
  • Akira Group (Ransomware Group)
  • Citrix Bleed (Campaign)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed