Hackers bypass SonicWall VPN MFA due to incomplete patching

Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks.

During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out.

SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.

Researchers at cybersecurity company ReliaQuest responded to multiple intrusions between February and March, and assessed “with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments."

The researchers noted that, in the environments they investigated, the devices appeared to be patched because they were running the updated firmware, yet they remained vulnerable because the required remediation steps had not been completed.