SonicWall VPN MFA Bypass Fuels Ransomware Attacks on EOL Devices

Ransomware operators are actively exploiting a multi-factor authentication bypass in SonicWall SSL-VPN appliances, and the kicker is that merely installing the firmware update doesn't fix it. CVE-2024-12802 requires manual LDAP reconfiguration that many organizations have skipped, leaving them vulnerable despite believing they're patched.

Making matters worse, SonicWall Gen6 devices reached end-of-life on April 16, 2026—meaning thousands of still-deployed appliances will never receive another security update.

TL;DR

• What happened: MFA bypass vulnerability requires 6-step manual reconfiguration after patching
• Who's affected: SonicWall Gen6, Gen7, and Gen8 SSL-VPN devices with LDAP authentication
• Severity: High - actively exploited in ransomware campaigns since February 2026
• Action required: Apply firmware update AND complete all manual mitigation steps; Gen6 users should migrate immediately

The Incomplete Patch Problem

ReliaQuest researchers Alexander Capraro and Tristan Luikey documented multiple intrusions between February and March 2026 that they assess with medium confidence as the first known in-the-wild exploitation of CVE-2024-12802. During these attacks, threat actors brute-forced VPN credentials and bypassed MFA to deploy tools commonly associated with ransomware operations.

The vulnerability stems from missing MFA enforcement for the User Principal Name (UPN) login format. An attacker with valid credentials can authenticate directly using the UPN format and completely circumvent multi-factor authentication—even when MFA is properly configured.

What makes this particularly insidious: the rogue login attempts still appeared as a normal MFA flow in logs. Defenders had every reason to believe MFA was working correctly when it wasn't. The attackers were in, and the logs showed nothing unusual.

SonicWall's own advisory warned that installing the firmware update alone does not fully mitigate the vulnerability on Gen6 devices. A six-step manual reconfiguration process is required, and failing to complete it leaves the MFA bypass wide open.

Attack Patterns Observed

According to ReliaQuest's analysis, the observed intrusions followed a consistent pattern:

1. Attackers logged in via the vulnerable VPN in 30-60 minute sessions
2. Performed network reconnaissance and tested credential reuse on internal systems
3. Logged out and returned days later using different accounts
4. Attempted to deploy Cobalt Strike beacons
5. Used vulnerable drivers via BYOVD technique to disable endpoint protection

The multi-day, multi-account pattern suggests initial access broker activity—attackers establishing footholds and potentially selling access to ransomware affiliates. This mirrors tactics we've seen from other threat actors targeting enterprise authentication systems.

Required Mitigation Steps

For organizations still running vulnerable SonicWall devices, firmware updates are necessary but not sufficient. The complete mitigation requires:

1. Update firmware to the latest version
2. Delete existing LDAP configuration with userPrincipalName
3. Remove cached LDAP users
4. Remove configured SSL VPN "User Domain"
5. Reboot the firewall
6. Recreate LDAP configuration without userPrincipalName
7. Create a fresh backup

Gen7 and Gen8 devices can be remediated more easily, but Gen6 owners face a harder choice: complete the manual mitigation on devices that will receive no future security updates, or migrate to supported hardware immediately.

Detection Guidance

Monitor for these indicators in SonicWall logs:

• Event IDs 238 and 1080
• sess="CLI" signals indicating scripted or automated authentication
• VPN logins originating from known VPS or VPN provider IP ranges
• Multiple failed authentication attempts followed by successful login without MFA challenge
• Logins using UPN format ([email protected]) rather than sAMAccountName

If you detect suspicious activity, assume compromise and investigate for lateral movement. The observed attackers moved quickly—30 to 60 minutes from initial access to internal reconnaissance.

The End-of-Life Reality

SonicWall Gen6 devices reaching end-of-life on April 16, 2026 creates a security cliff for organizations still running this hardware. Any future vulnerabilities discovered in Gen6—and there will be more—will not receive patches.

This isn't unique to SonicWall. The industry continues to struggle with legacy network appliances that organizations keep running long past their support windows. Attackers know this and specifically target EOL devices because the path from vulnerability disclosure to exploitation is a one-way street.

The CISA BOD 26-02 directive requiring federal agencies to replace edge devices upon end-of-life reflects growing recognition that unsupported network equipment represents unacceptable risk. Private organizations should follow the same principle.

Frequently Asked Questions

If I've installed the firmware update, am I protected?

Not necessarily. On Gen6 devices, the firmware update alone does not fully mitigate CVE-2024-12802. You must complete all six manual reconfiguration steps detailed in SonicWall's advisory. Gen7 and Gen8 devices are more straightforward to patch but still require verification.

How can I tell if attackers already exploited this vulnerability?

Check for the specific log indicators mentioned above. Pay particular attention to logins using UPN format from unusual IP addresses. Because successful exploits appear as "normal" MFA sessions in logs, you may need to correlate with other data sources like endpoint detection tools.