Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

MFA Bypass in SonicWall SSL-VPN Active Directory Authentication

IdentifiersCVE-2024-12802CWE-287

CVE-2024-12802 is an authentication bypass vulnerability in SonicWall SSL-VPN appliances that occurs when the appliance is integrated with Microsoft Active Directory and handles User Principal Name (UPN) and SAM account-name logins separately. MFA can be configured independently for each login format rather than being enforced consistently for the underlying identity. In affected configurations, an attacker with valid credentials can authenticate using the alternative account-name format, particularly the UPN login path, and bypass MFA even though MFA appears to be enabled for the account. Reporting indicates this is especially relevant on SonicWall Gen6 SSL-VPN deployments, where firmware patching alone does not fully remediate the issue because the vulnerable LDAP configuration can persist unless six additional manual LDAP reconfiguration steps are completed.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation reduces SSL-VPN access protection from multi-factor authentication to single-factor authentication. An attacker who has obtained valid VPN credentials can gain unauthorized remote access to the internal network without satisfying the intended MFA control. Observed post-authentication activity included internal reconnaissance, access to domain-joined systems, RDP access using reused or shared credentials, and attempted deployment of post-exploitation tooling such as Cobalt Strike and a vulnerable driver to disable endpoint protection. This can enable broader compromise and potentially support ransomware intrusion, lateral movement, and data access.

Mitigation

If you can’t patch tonight, do this now.

Until full remediation is verified, restrict or disable affected SSL-VPN exposure where feasible, especially on Gen6 appliances integrated with Active Directory via LDAP. Audit LDAP authentication settings to ensure MFA is not inconsistently applied across UPN and SAM login formats. Monitor SonicWall authentication logs for sess="CLI" and correlate with Event IDs 238 and 1080, as these were reported as useful indicators of scripted authentication activity. Review VPN access from VPS/VPN infrastructure, restrict source IPs where possible, minimize VPN account privileges, rotate exposed or reused credentials, eliminate shared local administrator passwords, and review active and historical VPN sessions for suspicious access. Migration off end-of-life Gen6 devices is a key mitigation.

Remediation

Patch, then assume compromise.

Apply SonicWall’s vendor remediation for CVE-2024-12802. For Gen6 devices, do not rely on firmware version alone: complete the six additional manual LDAP reconfiguration steps documented by SonicWall in advisory SNWLID-2025-0001 so the vulnerable LDAP configuration is removed and rebuilt correctly. The available reporting indicates the fix requires deleting or reworking the LDAP configuration that permits the UPN-based bypass. For Gen7 and newer platforms, upgrade to vendor-fixed releases identified by SonicWall; the provided content states Gen7 and Gen8 fixed versions incorporate the remediation steps. Because Gen6 hardware is end-of-life, migrate affected deployments to supported hardware and software.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
handlers diary fullNews
Jun 23, 2026
CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.

An authentication bypass vulnerability in SonicWall SSLVPN appliances that allows attackers to bypass MFA. It is especially significant on Gen 6 devices because firmware patching alone does not fully remediate the issue and additional manual LDAP reconfiguration is required.

Read more
scworldNews
May 21, 2026
Attackers exploit SonicWall VPN vulnerability to bypass MFA | brief | SC Media

An MFA bypass vulnerability affecting SonicWall Gen6 SSL-VPN appliances that can allow attackers with valid VPN credentials to circumvent multi-factor authentication using a specific UPN login format, enabling rapid internal network access and follow-on intrusion activity.

Read more
security affairsNews
May 21, 2026
Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix

An authentication bypass vulnerability in SonicWall SSL-VPN, particularly affecting Gen6 devices integrated with Microsoft Active Directory, where separate handling of UPN and SAM login formats can allow MFA bypass.

Read more
reliaquest com threat huntingNews
May 19, 2026
VPN Exploitation When Patched Doesn't Mean Protected | Threat Spotlight

An authentication bypass vulnerability in SonicWall SSL VPN appliances that can silently bypass MFA by abusing an unprotected authentication path. On Gen6 devices, firmware patching alone is insufficient; six additional manual LDAP reconfiguration steps are required for full remediation.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-12802
NVD
nvd.nist.gov/vuln/detail/CVE-2024-12802
MITRE CWE · CWE-287
cwe.mitre.org
psirt.global.sonicwall.com
psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0001