Ethical Hacking News
Cybersecurity experts warn that a recent SonicWall VPN vulnerability is being exploited by attackers to bypass Multi-Factor Authentication (MFA) due to inadequate patching processes, leaving organizations vulnerable to security breaches and potential ransomware attacks.
Attackers are successfully bypassing SonicWall Gen6 SSL-VPN MFA due to an issue with a previous fix for CVE-2024-12802. Many organizations may not be monitoring VPN authentication logs, making it difficult to detect and respond to such breaches. A six-step LDAP reconfiguration process is required to fully remediate the vulnerability, which many organizations may be missing. The ability to bypass MFA makes it easier for attackers to move laterally within a network, increasing the potential damage. Experts are urging organizations to take immediate action to address this vulnerability and follow all necessary steps to fix security vulnerabilities.
In a recent development that has sent ripples throughout the cybersecurity community, it has been revealed that attackers are successfully bypassing Multi-Factor Authentication (MFA) on SonicWall Gen6 SSL-VPN appliances due to an issue with the previous fix for a known vulnerability. The situation is particularly concerning given the severity of the threat and the potential consequences for organizations that fail to take adequate measures to protect their networks.
According to Pierluigi Paganini, a renowned cybersecurity expert who first reported on the issue, the attackers are using brute-force attacks to bypass MFA, which has allowed them to gain unauthorized access to internal networks. The situation is further complicated by the fact that many organizations may not be monitoring VPN authentication logs, making it difficult to detect and respond to such breaches.
The vulnerability in question, CVE-2024-12802, was initially identified as a critical security flaw that could allow attackers to reduce security to single-factor access. While firmware updates were released for Gen6 devices, experts have warned that these updates are not sufficient to fully remediate the issue. In fact, a six-step LDAP reconfiguration process is required to fix the vulnerability, which many organizations may be missing.
The consequences of this breach can be severe, particularly if an attacker gains access to sensitive data or deploys ransomware. In recent months, there have been numerous reports of attackers using compromised VPN credentials to gain access to internal networks and deploy malicious payloads. The ability to bypass MFA makes it easier for attackers to move laterally within a network, increasing the potential damage.
So, how did this happen? According to Paganini, the issue lies in the fact that many organizations may not be following all the steps required to fully fix the vulnerability. In other words, while the firmware update may be applied, the six-step LDAP reconfiguration process is often overlooked or missed. This has resulted in a situation where attackers can bypass MFA and gain unauthorized access to internal networks.
To put this into perspective, ReliaQuest researchers observed what they believe to be the first in-the-wild exploitation of CVE-2024-12802 across multiple environments between February and March 2026. The attackers used brute-force attacks to bypass MFA and gain access to internal networks, often reaching file servers within under 30 minutes. In some cases, as few as 13 brute-force attempts were required to separate an attacker from a valid credential.
Experts are urging organizations to take immediate action to address this vulnerability. This includes confirming that the full remediation has been completed, which requires more than just applying firmware updates. A six-step LDAP reconfiguration process must be followed to ensure that the vulnerability is fully fixed.
For defenders reviewing logs, experts recommend searching for the "sess='CLI'" indicator in VPN authentication logs, as this can indicate a problem with MFA that predates the advisory. Additionally, organizations are advised to follow best practices for monitoring VPN authentication logs and implementing additional security measures to prevent similar breaches in the future.
In conclusion, the recent SonicWall VPN vulnerability highlights the importance of following all necessary steps to fix security vulnerabilities. The fact that attackers can bypass MFA on Gen6 SSL-VPN appliances due to inadequate patching processes is a wake-up call for organizations to take immediate action to address this issue. By taking proactive measures to protect their networks, organizations can reduce the risk of security breaches and potential ransomware attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Exploiting-the-Unpatched-SonicWall-VPN-Vulnerability-A-Cautionary-Tale-of-MFA-Bypass-ehn.shtml
https://securityaffairs.com/192477/hacking/attackers-are-bypassing-mfa-on-sonicwall-vpns-because-something-was-wrong-with-previous-fix.html
Published: Thu May 21 11:17:23 2026 by llama3.2 3B Q4_K_M
