Bottom line: Hackers exploited CVE-2024-12802 to bypass MFA on SonicWall Gen6 devices. Organizations that installed only the firmware update but skipped the required LDAP reconfiguration steps remain vulnerable to attacks. ReliaQuest documented first wild exploitations between February and March 2024.
Attackers conducted brute-force attacks against VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL VPN devices to deploy ransomware tools. The security vulnerability CVE-2024-12802 primarily affects organizations that did not perform the required configuration steps after the firmware update.
Cybersecurity experts from ReliaQuest analyzed several breaches between February and March that indicate the first wild exploitation of CVE-2024-12802. The attackers needed between 30 and 60 minutes to log in, explore the network, and test credentials on internal systems.
The core problem lies in inadequate MFA enforcement for the UPN login format (User Principal Name). Critical here is this: merely installing the firmware update on Gen6 devices does not fully remediate the vulnerability. Manual reconfiguration of the LDAP server is required. Many organizations did not perform these additional steps and mistakenly believed their devices were fully patched.
In one investigated incident, attackers gained access to internal network resources within just 30 minutes and reached a domain-joined file server. They attempted to deploy a Cobalt Strike beacon and a vulnerable driver to disable endpoint protection — but could not enforce this through the installed EDR solution.
ReliaQuest suspects the attacker is an access broker who sells initial access to other threat groups. This is suggested by repeated logins using different accounts on different days.
Remediation of CVE-2024-12802 on Gen6 devices requires multiple manual steps: delete the existing LDAP configuration with userPrincipalName, remove locally cached LDAP users, remove the configured “User Domain”, restart the firewall, and recreate the LDAP configuration without userPrincipalName. On newer Gen7 and Gen8 devices, a simple firmware update is sufficient.