CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

In-the-wild exploitation of SonicWall Gen6 SSL-VPN MFA bypass via CVE-2024-12802

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors exploited CVE-2024-12802 to bypass multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances, enabling initial access for ransomware operations. Attackers brute-forced VPN credentials and authenticated directly via the UPN login format, bypassing MFA enforcement that appeared active in logs. Intrusions occurred between February and March 2026, with attackers taking 30–60 minutes to gain access, conduct reconnaissance, and test credential reuse. The vulnerability required both firmware updates and manual LDAP server reconfiguration to fully mitigate; incomplete mitigation left devices vulnerable. Gen6 devices are end-of-life as of April 16, 2026, and no longer receive security updates.

Timeline

  1. 21.05.2026 00:19 1 articles · 2h ago

    CVE-2024-12802 exploited in the wild to bypass SonicWall Gen6 SSL-VPN MFA

    Between February and March 2026, threat actors leveraged CVE-2024-12802 to bypass MFA on SonicWall Gen6 SSL-VPN appliances by exploiting UPN-based login formats in LDAP configurations. The attacks occurred despite updated firmware being present, as the required manual remediation steps were incomplete. Victims included multiple sectors and geographies, with attackers gaining access in 30–60 minutes and proceeding to internal reconnaissance. Indicators suggest the actor operates as an initial access broker.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2024-12802 affects SonicWall Gen6 SSL-VPN appliances, allowing authentication bypass of MFA when the UPN login format is used in LDAP configuration.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • Firmware updates alone do not fully remediate CVE-2024-12802; manual LDAP server reconfiguration is required, including removal of userPrincipalName from the "Qualified login name" field.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • Threat actors exploited CVE-2024-12802 in multiple environments between February and March 2026, achieving initial access in as little as 30 minutes.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • Attackers used shared local administrator credentials and attempted to deploy Cobalt Strike beacons and vulnerable drivers (BYOVD) for endpoint protection evasion, which were blocked by installed EDR solutions.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • Evidence suggests the threat actor may be an initial access broker, repeatedly logging in and out using different accounts over multiple days.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • SonicWall Gen6 SSL-VPN appliances reached end-of-life on April 16, 2026, and are no longer receiving security updates, increasing risk for unpatched deployments.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources

  • Log entries for these attacks still appear as normal MFA flows, complicating detection; indicators include sess="CLI", event IDs 238 and 1080, and logins from suspicious VPS/VPN infrastructure.

    First reported: 21.05.2026 00:19
    1 source, 1 article
    Show sources