CVSS 9.1
Critical severity, authentication bypass rating
13 attempts
Brute-force tries to bypass MFA and gain access
< 30 min
Time from VPN login to internal file server access
6 steps
Manual LDAP remediation steps beyond firmware update

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-12802 (CVSS 9.1), a critical authentication bypass in SonicWall Gen6 SSL-VPN appliances, is enabling Akira-linked ransomware operators to reach internal file servers in under 30 minutes after bypassing multi-factor authentication with as few as 13 brute-force attempts, on networks where vulnerability scanners report the firmware as fully patched. The SonicWall SSL-VPN MFA bypass has been under active exploitation since at least February 2026 across dozens of enterprise environments, and most confirmed victims had applied the firmware update SonicWall issued months earlier.

The vulnerability, tracked as CVE-2024-12802 (CWE-305: Missing Authentication for Critical Function), exploits a discrepancy in how SonicWall Gen6 appliances handle two different Active Directory login formats. User Principal Name (UPN) authentication at user@domain.com enforces MFA. Security Account Manager (SAM) name authentication at DOMAIN\user skips the MFA enforcement layer entirely. The SonicWall firmware patch partially remediated this discrepancy but left the LDAP configuration in place, meaning the bypass mechanism persists on any Gen6 device that completed only the firmware upgrade without six additional manual reconfiguration steps.

This is a Tuesday morning emergency for every security team running on-premises SonicWall hardware. SonicWall Gen6 reached official end-of-life status on April 16, 2026, meaning no further security updates will arrive for these devices. BleepingComputer documented fresh exploitation activity starting May 20, 2026, with victims in manufacturing, healthcare, and professional services. The Akira ransomware group, previously linked to large-scale SonicWall exploitation in 2025, has been confirmed in post-exploitation activity matching this attack pattern. Every hour these appliances remain misconfigured is an open door for ransomware staging.

How Does CVE-2024-12802 Bypass Multi-Factor Authentication?

CVE-2024-12802 exploits a fundamental authentication flow problem in SonicWall Gen6 SSL-VPN appliances integrated with Microsoft Active Directory. The bypass works by exploiting separate handling of two AD login formats.

User Principal Name (UPN) is the modern authentication format user@domain.com. MFA enforcement is configured on this login path, requiring a one-time password, hardware token, or push notification challenge after a successful password validation. Security Account Manager (SAM) account name is the legacy format DOMAIN\user. On vulnerable Gen6 devices, this login path does not trigger the MFA challenge even when MFA is globally enabled across the VPN configuration.

The critical weakness is in how the SonicWall LDAP integration routes authentication requests. When an attacker possesses valid credentials, they authenticate using the SAM account name format. The appliance validates the Active Directory password successfully but routes the request through a code path that has no MFA enforcement hook. The authentication completes without any one-time password, push notification, or hardware token challenge.

Attackers exploit this with automated brute-force tools targeting the SAM login path. Because authentication attempts via the SAM path do not generate standard failed-MFA alerts, security monitoring systems register the brute-force traffic as ordinary failed login attempts rather than MFA bypass events. ReliaQuest documented cases where as few as 13 attempts separated the attacker from a valid credential, with post-exploit activity appearing in logs as clean, successful authentication events.

The bypass is particularly dangerous for organizations that deployed MFA specifically as a compensating control for VPN access. CVE-2024-12802 breaks that assumption entirely for Gen6 hardware: MFA provides zero protection against an attacker using the SAM authentication path.

Why Your SonicWall Firmware Update Failed to Fix CVE-2024-12802

SonicWall issued a firmware update for CVE-2024-12802 in 2025. Applying that update is necessary but not sufficient. The firmware patch does not remove the existing LDAP configuration that enables the UPN-to-SAM authentication path discrepancy. Any Gen6 device that received the firmware upgrade and stopped there remains fully exploitable.

Full remediation for Gen6 devices requires six manual steps performed after the firmware update. These steps reconfigure the LDAP integration to eliminate the dual-path authentication discrepancy that the vulnerability exploits. The process takes 20 to 45 minutes per appliance for an experienced network administrator.

The firmware version check produces a false compliant result in most vulnerability management platforms. This is the critical operational failure: security teams receive a green dashboard status, close the remediation ticket, and move on, while the underlying LDAP configuration continues to allow MFA bypass. Cybersecurity Dive reported that patch status reporting tools checking only firmware version will show a patched status on devices that are still fully exploitable.

Organizations managing mixed Gen6 and Gen7 fleets face a compounding problem. Gen7 and newer devices are fully remediated by the firmware patch alone, requiring no manual LDAP reconfiguration. The different remediation requirements across hardware generations create a gap where Gen6 devices in a mixed fleet appear compliant while remaining vulnerable to CVE-2024-12802.

Delete the LDAP configuration using userPrincipalName

Log into the SonicWall management console, navigate to Users > Settings > LDAP, and remove the current LDAP server configuration that uses userPrincipalName as the login attribute. This is the root configuration that enables the authentication path discrepancy.

Remove all cached LDAP users from the local database

Navigate to Users > Local Users and Groups and delete all LDAP-imported accounts from the local user database. Residual cached user entries can preserve the vulnerable authentication path even after LDAP reconfiguration.

Delete the SSL VPN User Domain referencing Active Directory

Navigate to VPN > SSL-VPN > Server Settings and remove the LDAP-sourced User Domain entry. Leaving this entry in place allows the authentication bypass to persist even after LDAP configuration changes.

Reboot the firewall completely

Perform a full firewall reboot. Configuration reloads are not sufficient. A full system restart is required for LDAP changes to take effect across all authentication code paths.

Recreate LDAP using SAMAccountName as the login attribute

Rebuild the LDAP server configuration using SAMAccountName rather than userPrincipalName. Confirm that MFA enforcement is explicitly bound to the new SAMAccountName login flow before re-enabling SSL-VPN access for any users.

Generate a fresh backup configuration

Create and save a new backup configuration file after completing all five preceding steps. Restoring from a pre-remediation backup reintroduces the vulnerable LDAP settings and nullifies the remediation.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

SonicWall Gen6 at End-of-Life: The Full Scope of Your Exposure

SonicWall Gen6 appliances reached end-of-life status on April 16, 2026. End-of-life means SonicWall no longer provides firmware updates, security patches, or technical support for these devices. The six-step remediation procedure closes CVE-2024-12802, but Gen6 hardware will accumulate additional unpatched vulnerabilities with no resolution path from the vendor.

Affected Gen6 models include the SonicWall TZ300, TZ400, TZ500, TZ600, NSa 2650, NSa 3650, NSa 4650, NSa 5650, NSa 6650, and NSa 9250 series. Any of these models integrated with Active Directory and running SSL-VPN is affected by CVE-2024-12802 unless all six manual remediation steps have been completed following the firmware update.

The exploitation window has been running since at least February 2026. ReliaQuest documented active campaigns between February and March 2026 across multiple enterprise environments. BleepingComputer reported fresh exploitation beginning May 20, 2026, with confirmed victims in manufacturing, healthcare, and professional services. The median attacker dwell time between initial VPN authentication and reaching an internal file server was under 30 minutes across documented incidents.

For organizations that cannot immediately migrate from Gen6 hardware, three short-term mitigations reduce exposure while the six-step remediation is scheduled. First, disable SSL-VPN access on Gen6 appliances entirely and route remote access through an alternative path. Second, restrict VPN access via IP allowlists covering only corporate egress addresses, blocking all VPS and residential IP ranges. Third, monitor SonicWall event logs for Event IDs 238 and 1080, which flag scripted authentication patterns and session cycling consistent with brute-force exploitation.

Akira Ransomware: From VPN Login to File Server in 30 Minutes

Akira is a ransomware-as-a-service operation first documented in 2023 that consistently targets network perimeter appliances as initial access vectors. Akira-affiliated operators represent a structured criminal organization with dedicated specialists for scanning, credential exploitation, and ransomware deployment. As covered in our Cisco SD-WAN authentication bypass analysis, authentication bypass vulnerabilities in network perimeter hardware remain the highest-value entry point for ransomware groups because they provide persistent access that bypasses all perimeter controls.

Following CVE-2024-12802 exploitation, Akira operators execute a consistent post-exploitation sequence. Within the first 30 minutes, they perform network reconnaissance using standard Windows tools, test credential reuse on internal systems accessible from the VPN subnet, and establish Remote Desktop Protocol connections using shared administrator passwords recovered from Active Directory. Within the next two hours, operators attempt Cobalt Strike beacon deployment and use Bring Your Own Vulnerable Driver techniques to disable endpoint detection tools.

Data exfiltration precedes encryption. Akira operators spend 24 to 72 hours enumerating file shares, identifying backup locations, and staging sensitive data for exfiltration before executing the ransomware payload. Ransom demands in Akira campaigns targeting mid-size enterprises have ranged from $200,000 to $2.5 million, with double-extortion pressure applied through an Akira data leak site that publishes victim files when negotiations fail.

Organizations can correlate Akira activity with attacker infrastructure documented by Huntress: VPS addresses from AS62240 (Clouvider), AS23470 (ReliableSite), and AS174 (COGENT). New Active Directory accounts named backupSQL and lockadmin are post-exploitation staging indicators consistent with Akira pre-encryption operations.

In one environment, they reached a file server within 30 minutes and deployed tools consistent with pre-ransomware staging.

ReliaQuest incident analysis, May 2026

CVE-2024-12802 Indicators of Compromise and Detection

Detection of CVE-2024-12802 exploitation requires monitoring SonicWall event logs for authentication patterns that distinguish bypass attempts from normal user behavior. Standard SIEM alerts for failed MFA events will not fire during exploitation, the bypass produces clean, successful authentication events with no MFA failure recorded.

Key SonicWall log indicators: Event ID 238 (SSL-VPN session created) with sess=CLI value indicates scripted authentication via automated tools rather than a human-operated VPN client. Event ID 1080 (SSL-VPN user disconnected) in high-frequency clusters from the same source IP indicates brute-force credential cycling. Authentication successes from IP ranges associated with VPS providers, Clouvider AS62240, ReliableSite AS23470, COGENT AS174, with no prior organizational login history warrant immediate investigation and session termination.

Post-exploitation Active Directory indicators: new accounts named backupSQL or lockadmin are staging accounts created by Akira-affiliated operators. PowerShell remoting or WMI activity originating from the VPN subnet directed at internal file servers is a lateral movement indicator. Set-MpPreference execution disabling Windows Defender from a VPN-authenticated session and netsh.exe firewall rule modifications from VPN-connected hosts are pre-ransomware staging signals. Event log clearing via EventLogSession.ClearLog from VPN-authenticated endpoints indicates imminent ransomware deployment and requires immediate containment response.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why CVE-2024-12802 Matters for Your Organization

The SonicWall SSL-VPN MFA bypass CVE-2024-12802 represents a category of vulnerability that defeats the security controls organizations rely on most. MFA is treated as the primary compensating control for VPN access because passwords alone cannot stop credential-stuffing attacks. This vulnerability nullifies that protection entirely for Gen6 hardware, and the false-patched status in vulnerability dashboards means most affected organizations do not know they are exposed.

The exploitation evidence from ReliaQuest and BleepingComputer shows that breached organizations believed they were protected. The firmware upgrade showed patched in vulnerability management tools. Detection failed because the bypass produces clean authentication events with no failed-MFA alerts. The full breach chain from initial brute-force to file server access completed before any security alert fired.

As documented in our Palo Alto PAN-OS firewall remediation coverage, perimeter network appliances continue to be the highest-impact initial access targets for organized threat actors. SonicWall Gen6 now sits in the same risk category: an EOL device, actively exploited, with a partial patch that a significant percentage of affected organizations believes is complete.

Three actions define the right response today. Identify every Gen6 SSL-VPN appliance in your environment. Query each one for LDAP configuration using userPrincipalName as the login attribute. Execute the six-step LDAP remediation sequence on each device before end of business. Organizations that cannot complete remediation today should disable SSL-VPN on Gen6 appliances immediately and route remote access through alternative infrastructure while scheduling the LDAP reconfiguration work.

The bottom line

SonicWall SSL-VPN MFA bypass CVE-2024-12802 enables Akira-linked attackers to reach internal file servers in under 30 minutes despite an applied firmware patch, because six LDAP reconfiguration steps remain undone on Gen6 hardware. Three actions define today's response: verify your Gen6 appliance firmware version, identify all LDAP configurations using userPrincipalName, and execute the six-step remediation sequence before end of business. Any Gen6 device that shows patched in your vulnerability scanner without completed LDAP reconfiguration remains fully exploitable. SonicWall Gen6 reached end-of-life April 16, 2026, migration to Gen7 is the permanent fix, but the six-step LDAP remediation is your stopgap for today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2024-12802?

CVE-2024-12802 is a CVSS 9.1 authentication bypass vulnerability in SonicWall Gen6 SSL-VPN appliances. It allows an attacker with valid Active Directory credentials to authenticate to the SSL-VPN and bypass multi-factor authentication by using the SAM account name login format instead of the User Principal Name format. Active exploitation has been confirmed since February 2026, with fresh attack campaigns documented in May 2026 targeting manufacturing, healthcare, and professional services organizations.

How does CVE-2024-12802 bypass MFA on SonicWall?

SonicWall Gen6 appliances route two Active Directory login formats through separate code paths. Multi-factor authentication is enforced on the User Principal Name path (user@domain.com). The Security Account Manager name path (DOMAIN\user) bypasses MFA enforcement on vulnerable devices. An attacker with valid credentials authenticates via the SAM path, the appliance validates the AD password successfully, and the VPN session is created with no MFA challenge or failed-MFA alert generated in security logs.

Is my SonicWall Gen6 device still vulnerable after applying the firmware update?

Yes, if you applied only the firmware update without completing six additional LDAP reconfiguration steps. The firmware patch does not remove the existing LDAP configuration that enables the authentication path discrepancy. Vulnerability scanners checking firmware version will report a false remediated status. You must delete the userPrincipalName LDAP configuration, remove cached LDAP users, delete the SSL VPN User Domain, reboot the firewall, recreate LDAP using SAMAccountName, and generate a fresh backup to fully close the vulnerability.

Which ransomware group is exploiting CVE-2024-12802?

Post-exploitation activity consistent with Akira ransomware has been confirmed in networks breached via CVE-2024-12802. Akira is a ransomware-as-a-service operation active since 2023 that targets network perimeter appliances for initial access. Indicators include new Active Directory accounts named backupSQL and lockadmin, Cobalt Strike beacon deployment, Bring Your Own Vulnerable Driver techniques to disable endpoint detection, and data exfiltration preceding ransomware encryption. Ransom demands in Akira campaigns have ranged from $200,000 to $2.5 million.

What does SonicWall Gen6 end-of-life mean for security teams?

SonicWall Gen6 appliances reached end-of-life on April 16, 2026. No further firmware updates, security patches, or vendor support will be provided. The six-step LDAP remediation closes CVE-2024-12802, but future vulnerabilities discovered in Gen6 hardware will have no vendor-provided fix path. Migration to Gen7 or Gen8 appliances is the permanent solution. Gen7 and newer devices are fully remediated by firmware patch alone without requiring manual LDAP reconfiguration.

How do I detect CVE-2024-12802 exploitation on my SonicWall?

Monitor SonicWall event logs for Event ID 238 with sess=CLI values, which indicate scripted authentication via automated tools. Event ID 1080 in high-frequency bursts from a single source IP indicates brute-force cycling. Look for authentication successes from VPS provider ASNs, Clouvider AS62240, ReliableSite AS23470, COGENT AS174, with no prior login history in your environment. Post-compromise, monitor Active Directory for new accounts named backupSQL or lockadmin and PowerShell remoting originating from VPN subnet addresses toward internal file servers.

What are the six steps to fully fix CVE-2024-12802 on Gen6?

Full remediation requires six sequential steps after firmware update: (1) delete the existing LDAP configuration using userPrincipalName from Users > Settings > LDAP; (2) remove all cached LDAP users from Users > Local Users and Groups; (3) delete the SSL VPN User Domain referencing Active Directory from VPN > SSL-VPN > Server Settings; (4) reboot the firewall fully; (5) recreate LDAP using SAMAccountName as the login attribute with MFA enforcement bound to that path; (6) generate a new backup configuration so restore operations cannot reintroduce the vulnerable LDAP settings.

Sources & references

  1. BleepingComputer, Hackers bypass SonicWall VPN MFA due to incomplete patching
  2. Cybersecurity Dive, Patch bypass allows hackers to exploit prior flaw in SonicWall SSL-VPN
  3. SOCRadar, CVE-2024-12802: SonicWall SSL-VPN MFA Bypass Persists on Gen6
  4. NVD, CVE-2024-12802 Detail
  5. Huntress, Active Exploitation of SonicWall VPNs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.