top of page

Attackers Bypass MFA on SonicWall VPNs Due to Flawed Prior Patch

  • May 22
  • 2 min read

Key Findings


  • SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite firmware patches because administrators are missing six required manual remediation steps

  • CVE-2024-12802 exploitation observed in-the-wild between February and March 2026, leading to ransomware-related intrusions across multiple organizations

  • Attackers successfully brute-forced VPN credentials and bypassed MFA, reaching internal file servers in some cases within 30 minutes

  • Gen6 devices reached end-of-life on April 16, 2026 and no longer receive security updates, creating urgent remediation pressure

  • Detection is difficult because exploitation uses an automated VPN session type that most organizations do not actively monitor


Background


The vulnerability stems from how SonicWall handles two different Active Directory login formats: UPN (User Principal Name, formatted like an email) and SAM (Security Account Manager, the older format). The critical flaw is that MFA enforcement is applied to each login format independently rather than to the actual user identity. This means an attacker who knows valid credentials can authenticate using the UPN path even when MFA is configured because enforcement for that specific path is missing.


The Incomplete Patch Problem


Firmware updates exist for Gen6 devices, but they do not automatically remove the vulnerable LDAP configuration that allows the bypass. The existing configuration remains in place after patching. Full remediation requires administrators to manually delete the configuration entirely and rebuild it without the userPrincipalName format that exploits rely on. SonicWall's advisory specifies six additional manual steps that standard patch management workflows are not designed to verify. This creates a dangerous situation where systems appear fully patched and secure but remain vulnerable.


Attack Pattern and Speed


ReliaQuest researchers observed consistent attack patterns across multiple incidents. Attackers brute-forced VPN accounts with remarkable efficiency, sometimes needing as few as 13 attempts to obtain valid credentials. After gaining initial access, they bypassed MFA and moved rapidly through networks. In one documented case, an attacker went from initial VPN access to establishing an RDP connection on a domain-joined file server and attempting Cobalt Strike deployment in under thirty minutes. In some incidents, attackers behaved like initial access brokers, deliberately logging out and returning days later through different accounts to assess victim value rather than executing immediate ransomware attacks.


Detection Challenges


The exploitation uses a specific automated VPN session type in logs that most organizations are unlikely to be monitoring today. This logging pattern is consistent across intrusions, but the lack of visibility into these session types means many compromises may go undetected. When endpoint protection was present, it successfully blocked follow-on activities like vulnerable driver loading, but the initial compromise had already succeeded.


Broader Implications for Gen7 and Gen8


The issue is specific to Gen6 hardware, which complicates the situation further because these devices reached end-of-life on April 16, 2026 and no longer receive security updates. Gen7 and Gen8 devices are not vulnerable to the same attack after updating to versions 7.2.0-7015 and 8.0.1-8017 respectively, as the remediation steps have been incorporated directly into the firmware.


Sources


  • https://securityaffairs.com/192477/hacking/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix.html

  • https://x.com/securityaffairs/status/2057468929837023316

  • https://www.reddit.com/r/InfoSecNews/comments/1tjph99/attackers_are_bypassing_mfa_on_sonicwall_vpns

  • https://community.opentextcybersecurity.com/vulnerability-vault-228/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix-364378

  • https://www.linkedin.com/posts/pierluigipaganini_attackers-are-bypassing-mfa-on-sonicwall-activity-7463234634139508738-qFVE

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page