INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Bypassing MFA due to patch incompatibility

| 2026-05-21 14:29 HIGH LOW
JSON
Executive Summary AI-generated
The SonicWall Gen6 SSL-VPN appliances have been compromised by a highly sophisticated ransomware attack, exploiting the company's handling of two different Active Directory login formats: UPN and SAM. The attackers exploited CVE-2024-12802, which stems from how SonicWall handles these formats, allowing them to bypass Multi-Factor Authentication (MFA) on VPNs. This vulnerability has been confirmed by ReliaQuest researchers who observed the first in-the-wild exploitation of this vulnerability across multiple environments between February and March 2026. The attackers deployed a Cobalt Strike beacon for command-and-control and attempted to load a vulnerable driver, likely using the Bring Your Own Vulnerable Driver technique.
Technical Mitigations AI-generated
* Implement a more comprehensive patching workflow: Standard patch management workflows may not verify manual reconfiguration steps, firmware updates, and device checks. Organizations should ensure that all necessary steps are taken before deploying patches to prevent vulnerabilities from being exploited. * Verify manual configuration changes: Before upgrading or updating firewalls, organizations should verify that any manual configuration changes have been made to ensure the vulnerability is fully addressed. * Use a more secure authentication method: Consider using two-factor authentication (2FA) in addition to MFA for all users. This can help prevent attackers from bypassing MFA and gaining access to internal networks. * Regularly monitor VPN logs: Organizations should regularly review their VPN logs to detect any suspicious activity, such as brute-force attempts or unauthorized access attempts. * Implement a secure patch management process: Establish clear procedures for patch management, including verification of manual configuration changes, firmware updates, and device checks. This can help prevent vulnerabilities from being exploited by attackers.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Cobalt StrikeCobalt Strike CVE-2024-12802CVE-2024-12802
Target & Sectors
Global Scope
Incident Timeline
‎2025/05/20
Threat actors used a previously unknown vulnerability in SonicWall SSL VPN devices to bypass Multi-Factor Authentication (MFA).
tactic Ransomware
Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts, but the method was not confirmed.
organisation SonicWall SSL VPN
Last year, the Akira ransomware gang targeted SonicWall SSL VPN devices and logged in despite MFA being enabled on accounts, but the method was not confirmed.
‎March 2026
Attackers bypassed MFA on SonicWall VPNs using a vulnerable driver technique.
organisation Active Directory
The vulnerability itself, CVE-2024-12802 , is stems in how SonicWall handles two different Active Directory login formats: UPN (User Principal Name, the format that looks like an email address) and SAM (Security Account Manager, the older format).
organisation UPN
The vulnerability itself, CVE-2024-12802 , is stems in how SonicWall handles two different Active Directory login formats: UPN (User Principal Name, the format that looks like an email address) and SAM (Security Account Manager, the older format).
organisation MFA Bypass
“SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.”
organisation Microsoft Active Directory
“SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.”
organisation Lightweight Directory Access Protocol
“Patching the firmware doesn’t remove the existing Lightweight Directory Access Protocol (LDAP) configuration that allows the bypass; the vulnerable configuration remains in place.” continues ReliaQuest.
organisation EDR
The EDR on that particular system blocked both.
organisation VPS
Event IDs 238 and 1080 are additional indicators worth monitoring, along with VPN logins originating from VPS or VPN infrastructure rather than expected user locations.
organisation SonicWall SSL-VPN
If you are running Gen6 SonicWall SSL-VPN appliances, confirm that the full remediation has been completed, not just that the firmware is current.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, SonicWall VPNs)
‎April 16 this year
Threat actors are bypassing Multi-Factor Authentication on SonicWall VPNs due to a known issue with previous fixes.
‎April 16
Threat actors are bypassing MFA on Gen6 SSL-VPN appliances by exploiting a previously disclosed vulnerability.
‎Between February and March 2026
Threat actors exploited a previously disclosed vulnerability in SonicWall VPNs, CVE-2024-12802.
vulnerability CVE-2024-12802
Between February and March 2026, ReliaQuest researchers observed what it assesses as the first in-the-wild exploitation of CVE-2024-12802 across multiple environments.
organisation ReliaQuest
Between February and March 2026, ReliaQuest researchers observed what it assesses as the first in-the-wild exploitation of CVE-2024-12802 across multiple environments.
‎2026/05/21
Threat actors exploited a previously patched vulnerability in SonicWall VPNs to bypass Multi-Factor Authentication.
‎2026/05/21
The threat actors bypassed MFA on SonicWall Gen6 SSL-VPN appliances by exploiting the CVE-2024-12802 vulnerability.
organisation UPN
Addressing CVE-2024-12802 The CVE-2024-12802 vulnerability is caused by a missing MFA enforcement for the UPN login format, allowing an attacker with valid credentials to authenticate directly and bypass the MFA requirement.
organisation Recreate
Reboot the firewall Recreate the LDAP configuration without userPrincipalName in “Qualified login name” Create a fresh backup to avoid restoring the vulnerable LDAP configuration later The researchers have high confidence that the threat actor behind the analyzed intrusions gained initial access by exploiting the CVE-2024-12802 vulnerability "across multiple sectors and geographies.
organisation ReliaQuest
Exploitation activity ReliaQuest says that in one incident, the hacker gained access to the internal network and reached a domain-joined file server in as little as half an hour.
organisation MFA
Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix.
Hackers bypass SonicWall VPN MFA due to incomplete patching.
organisation SonicWall
Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix.
Hackers bypass SonicWall VPN MFA due to incomplete patching.
organisation EDR
However, the installed endpoint detection and response (EDR) solution blocked the beacon and the loading of the driver.
organisation VPS
Other strong signals are event IDs 238 and 1080, and VPN logins from suspicious VPS/VPN infrastructure.
organisation RDP
Then they established a remote connection over RDP using a shared local administrator password.
organisation SSL
Delete the existing LDAP configuration using userPrincipalName in the “Qualified login name” field Remove locally cached/listed LDAP users Remove the configured SSL VPN “User Domain” (reverts to LocalDomain)
Intelligence Sources
BleepingComputer 2026-05-20
Security Affairs 2026-05-21