Attackers Bypass MFA on SonicWall VPNs Due to Flawed Prior Patch
- May 22
- 2 min read
Key Findings
SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite firmware patches because administrators are missing six required manual remediation steps
CVE-2024-12802 exploitation observed in-the-wild between February and March 2026, leading to ransomware-related intrusions across multiple organizations
Attackers successfully brute-forced VPN credentials and bypassed MFA, reaching internal file servers in some cases within 30 minutes
Gen6 devices reached end-of-life on April 16, 2026 and no longer receive security updates, creating urgent remediation pressure
Detection is difficult because exploitation uses an automated VPN session type that most organizations do not actively monitor
Background
The vulnerability stems from how SonicWall handles two different Active Directory login formats: UPN (User Principal Name, formatted like an email) and SAM (Security Account Manager, the older format). The critical flaw is that MFA enforcement is applied to each login format independently rather than to the actual user identity. This means an attacker who knows valid credentials can authenticate using the UPN path even when MFA is configured because enforcement for that specific path is missing.
The Incomplete Patch Problem
Firmware updates exist for Gen6 devices, but they do not automatically remove the vulnerable LDAP configuration that allows the bypass. The existing configuration remains in place after patching. Full remediation requires administrators to manually delete the configuration entirely and rebuild it without the userPrincipalName format that exploits rely on. SonicWall's advisory specifies six additional manual steps that standard patch management workflows are not designed to verify. This creates a dangerous situation where systems appear fully patched and secure but remain vulnerable.
Attack Pattern and Speed
ReliaQuest researchers observed consistent attack patterns across multiple incidents. Attackers brute-forced VPN accounts with remarkable efficiency, sometimes needing as few as 13 attempts to obtain valid credentials. After gaining initial access, they bypassed MFA and moved rapidly through networks. In one documented case, an attacker went from initial VPN access to establishing an RDP connection on a domain-joined file server and attempting Cobalt Strike deployment in under thirty minutes. In some incidents, attackers behaved like initial access brokers, deliberately logging out and returning days later through different accounts to assess victim value rather than executing immediate ransomware attacks.
Detection Challenges
The exploitation uses a specific automated VPN session type in logs that most organizations are unlikely to be monitoring today. This logging pattern is consistent across intrusions, but the lack of visibility into these session types means many compromises may go undetected. When endpoint protection was present, it successfully blocked follow-on activities like vulnerable driver loading, but the initial compromise had already succeeded.
Broader Implications for Gen7 and Gen8
The issue is specific to Gen6 hardware, which complicates the situation further because these devices reached end-of-life on April 16, 2026 and no longer receive security updates. Gen7 and Gen8 devices are not vulnerable to the same attack after updating to versions 7.2.0-7015 and 8.0.1-8017 respectively, as the remediation steps have been incorporated directly into the firmware.
Sources
https://securityaffairs.com/192477/hacking/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix.html
https://x.com/securityaffairs/status/2057468929837023316
https://www.reddit.com/r/InfoSecNews/comments/1tjph99/attackers_are_bypassing_mfa_on_sonicwall_vpns
https://community.opentextcybersecurity.com/vulnerability-vault-228/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix-364378
https://www.linkedin.com/posts/pierluigipaganini_attackers-are-bypassing-mfa-on-sonicwall-activity-7463234634139508738-qFVE

Comments