Threat actors brute-forced credentials and bypassed multi-factor authentication on SonicWall Gen6 SSL-VPN appliances in attacks between February and March, with some intrusions taking 30 to 60 minutes from login to log out.
KEY FACTS
- Target Gen6 SonicWall SSL-VPN appliances used in multiple environments
- Risk Firmware updates alone did not fully fix CVE-2024-12802 on Gen6 devices
- Access Attackers logged in, performed reconnaissance and tested credential reuse on internal systems
- Defense Endpoint detection and response blocked a Cobalt Strike beacon and a vulnerable driver
A technical analysis from ReliaQuest said the activity was likely the first in-the-wild exploitation of the flaw across multiple environments. The report said the intrusions affected devices that appeared patched because they were running updated firmware, but the required LDAP remediation had not been completed.
On Gen6 devices, SonicWall says administrators must install the firmware update and then manually reconfigure the LDAP server to fully remove the issue. Without those extra steps, attackers with valid credentials can still bypass MFA through the UPN login format, according to the advisory.
In one case, the intruder reached a domain-joined file server in about half an hour and then used RDP with a shared local administrator password. ReliaQuest also found signs that the actor logged out deliberately and returned later, sometimes with different accounts.
The report said the observed login attempts still looked like normal MFA activity in logs, which could mislead defenders. It also pointed to sess="CLI", event IDs 238 and 1080, and VPN logins from suspicious VPS or VPN infrastructure as indicators.
SonicWall Gen6 SSL-VPN appliances reached end of life on April 16 and no longer receive security updates. Organizations using those devices need to review their configuration and move to supported versions where possible.
WHY IT MATTERS
The case shows that a firmware update can leave a major exposure in place if the full remediation is not done. For defenders, the main challenge is that the activity can appear normal in logs even when MFA has been bypassed.