277/69 Friday, May 22, 2026
Reports indicate that threat actors are actively exploiting CVE-2024-12802 in SonicWall Gen6 SSL-VPN appliances to bypass multi-factor authentication (MFA). The attacks primarily affect organizations that updated their firmware to patch the vulnerability but failed to fully complete the required manual configuration changes. The flaw allows attackers who already possess valid passwords to bypass MFA protections and gain unauthorized access to internal corporate networks, potentially enabling the deployment of malicious tools and leading to ransomware attacks. Initial investigations confirm that real-world exploitation has already been observed across multiple industries and regions, particularly targeting systems with incomplete or weak configurations.
According to incident analysis, attackers were able to complete the intrusion process in as little as 40 minutes. The attack reportedly began with a successful login that bypassed MFA protections. Within two minutes, the attackers started scanning internal networks for services such as RDP, SMB, and SSH, while also attempting password reuse attacks against other systems within the environment. Approximately 30 minutes later, the attackers gained access to administrator-level accounts and attempted privilege escalation while importing suspicious executable files. Researchers also observed attempts to use BYOVD (Bring Your Own Vulnerable Driver) techniques to load vulnerable drivers in an effort to disable endpoint security protections. However, the victim organization’s EDR solution successfully detected and blocked the malicious behavior, ultimately terminating the attack.
To reduce risk and prevent compromise, administrators using SonicWall Gen6 appliances are strongly advised to update firmware to the latest available version and fully reconfigure LDAP server settings according to the vendor’s guidance. Recommended mitigation steps include deleting previous configurations, clearing cached user data, removing user domain settings, rebooting the appliance, and recreating LDAP configurations from scratch without reusing legacy settings. For threat hunting and detection, administrators should monitor logs for suspicious indicators such as sess="CLI" entries, event IDs 238 and 1080, and login attempts originating from suspicious networks. Since Gen6 appliances officially reached end-of-support status on April 16, organizations are also encouraged to begin migrating to newer supported platforms to maintain long-term security protection and vendor support.