Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2024-12802: SonicWall SSL-VPN MFA Bypass Persists on Gen6
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
May 21, 2026
5 Mins Read
Moon

CVE-2024-12802: SonicWall SSL-VPN MFA Bypass Persists on Gen6

CVE-2024-12802 is an authentication bypass that can result in an SSL-VPN MFA bypass affecting SonicWall SonicOS / SonicWall SSL-VPN when the VPN is integrated with Microsoft Active Directory (AD) in certain configurations. The issue matters because defenders may think they are protected after upgrading firmware, yet Gen6 appliances can remain exploitable without additional manual changes.

Researchers reported exploitation in environments where devices appeared patched by version checks but were still vulnerable. This post explains what CVE-2024-12802 is, who is affected, how attackers abuse it, what we know about exploitation, and what to do next.

What Is CVE-2024-12802?

CVE-2024-12802 (CVSS 9.1) is a CWE-305 authentication bypass / MFA bypass condition affecting SonicWall SSL-VPN authentication flows when using Microsoft AD.

At a high level, the weakness shows up when the same AD user can log in using different account-name formats, and SonicWall handles those formats in a way that can apply MFA inconsistently. In the worst case, an attacker can authenticate through an alternate login path that does not trigger MFA, effectively reducing remote access to single-factor.

Details of CVE-2024-12802 (SOCRadar Vulnerability Intelligence)


Details of CVE-2024-12802 (SOCRadar Vulnerability Intelligence)

Which SonicWall Versions And Platforms Are Affected?

The affected SonicOS versions listed in the CNA record include the following ranges:

  • 6.5.4.4-44v-21-2457 and older
  • 6.5.4.15-117n and older
  • 7.0.1-5161 and older
  • 7.1.1-7058 and older
  • 7.1.2-7019
  • 8.0.0-8035

Impacted platforms include Gen6 and Gen7 hardware/NSv, plus TZ80. The Gen6 angle matters because it is where the “patched but still exploitable” condition has been reported.

How Does The MFA Bypass Happen In AD-Integrated SSL-VPN Setups?

The practical mechanism comes down to identity format ambiguity in AD-backed authentication:

Users can often authenticate using a UPN format (for example, user@domain) or a SAM account name (sAMAccountName) format (for example, DOMAINuser or user, depending on prompts and configuration).

In vulnerable configurations, SonicWall can treat UPN vs SAM as distinct login paths. If MFA enforcement is tied to one path and not the other, an attacker who already has valid credentials can choose the path that results in no MFA challenge.

This is not a “break MFA cryptography” vulnerability. It is an alternate authentication path problem where policy enforcement does not reliably follow the user across equivalent identifiers.

Why Are Gen6 Devices Still At Risk After Firmware Updates?

ReliaQuest highlighted an operational issue: on Gen6 SonicWall devices, upgrading firmware alone may not fully remediate CVE-2024-12802.

A device can look compliant in a vulnerability dashboard because the firmware version matches a fixed release, but still be vulnerable until administrators complete the six additional manual reconfiguration steps referenced in SonicWall’s guidance. This creates a common failure mode:

  • Vulnerability management validates “patched” based on the version.
  • The device remains exploitable because the required configuration-state remediation never happened.

The researchers described Gen7 and newer devices as being fully remediated by the firmware patch alone, making this a Gen6-specific trap for teams that manage mixed fleets.

Is CVE-2024-12802 Being Exploited In The Wild?

Public reports previously indicated no exploitation as of January 9, 2025. However, ReliaQuest later reported observed exploitation activity occurring between February and March 2026 across multiple environments, which it assessed with medium confidence to be the first in-the-wild exploitation of this CVE.

In the cases described, the observed intrusion pattern was direct:

  • Threat actors brute-forced VPN accounts.
  • After obtaining valid credentials, they bypassed MFA via the alternate authentication behavior tied to username formats.
  • Researchers assessed with high confidence that the threat actor gained initial access via this vulnerability across multiple sectors and geographies.

This makes CVE-2024-12802 relevant to organizations that still rely on SSL-VPN as an internet-facing initial access point, particularly where password hygiene and lockout controls are weak.

SOCRadar’s Vulnerability Intelligence


SOCRadar’s Vulnerability Intelligence

Most breaches don’t start with a zero-day; they start with something that was already known, just missed. SOCRadar’s Cyber Threat Intelligence module tracks threat actor activity, dark web chatter, and newly disclosed vulnerabilities relevant to your stack, giving your team context instead of noise. Attack Surface Management (ASM) maps and monitors your external-facing assets in real time, flagging misconfigurations and exposed services before they become incidents.

What Should Defenders Do Now To Reduce Risk?

Confirm Gen6 remediation goes beyond “patched”

If you run Gen6, do not stop at firmware upgrades. Validate that all manual remediation steps documented in SonicWall’s advisory were applied. Treat this as a configuration compliance problem, not just patch compliance.

Hunt for brute-force indicators tied to SSL-VPN authentication

Monitor SonicWall authentication logs for session artifacts such as:

sess=”CLI”

Use that signal as a pivot for investigation, then correlate with spikes in failed logins, unusual source IPs, and authentication attempts across multiple usernames. Note that rogue login attempts may still appear as a normal MFA flow in logs, leading defenders to incorrectly believe MFA worked.

Reduce the value of a single password on VPN

Since the observed attacks paired brute force with MFA bypass, basic controls still matter:

  • Enforce a strong password policy for VPN-capable accounts.
  • Ensure lockout and rate-limiting controls are effective for remote auth.
  • Review which users and groups can access the SSL-VPN and reduce it to what is necessary.
  • If possible, restrict exposure with network controls (allowlisting, geofencing where appropriate, or placing VPN behind additional access controls).

Plan for Gen6 lifecycle risk

Gen6 reached end of life on April 16, 2026, and no longer receives security updates. If Gen6 remains in your environment, prioritize a migration plan; relying on end-of-life hardware for internet-facing remote access significantly increases long-tail exposure risk.