Cybersecurity firm ReliaQuest confirmed on May 19, 2026, that organizations running SonicWall Gen6 SSL-VPN appliances that applied the firmware patch for CVE-2024-12802 may still be fully exposed to MFA bypass — because the patch requires six additional manual configuration steps that standard patch-management workflows are not designed to track or verify.
Researchers Alexander Capraro and Tristan Luikey documented multiple intrusions between February and March 2026 that they assess with medium confidence as the first known in-the-wild exploitation of CVE-2024-12802. In every case, the targeted devices appeared patched based on their firmware version. In one incident, attackers reached a file server and deployed pre-ransomware staging tools within 30 minutes of gaining VPN access.
SonicWall Rated CVE-2024-12802 as Medium. CISA Disagreed.
SonicWall assigned CVE-2024-12802 a CVSS score of 6.5, classifying it as Medium severity. CISA's Authorized Data Publisher independently assessed the same flaw at 9.1, classifying it as Critical — a score that reflects network-level exploitation requiring no privileges and no user interaction.
That three-point gap in severity scores may have contributed directly to the intrusions ReliaQuest investigated. When a vulnerability is rated Medium, most organizations treat the associated patch as routine maintenance — applying the firmware update, confirming the version number, and moving on. SonicWall's own advisory specifies that this sequence is incomplete on Gen6 hardware. For Gen7 and Gen8 devices, the firmware update alone fully resolves the vulnerability. For Gen6, it does not.
"A firmware patch doesn't always equal full remediation," the ReliaQuest researchers wrote. "Organisations should audit any edge device advisory for manual remediation steps and track their completion separately from firmware version."
Why Firmware Version Alone Cannot Confirm Remediation
CVE-2024-12802 exists because SonicWall SSL-VPN appliances handle two Microsoft Active Directory login formats — User Principal Name (UPN, which resembles an email address) and Security Account Manager (SAM) — as separate authentication paths. Because MFA can be configured independently for each path, an attacker who authenticates via the UPN format can bypass MFA enforcement entirely, logging in as though no second factor were required.
The firmware update patches the software code but does not remove the vulnerable LDAP configuration already in place on Gen6 devices. That configuration must be deleted and rebuilt. SonicWall's advisory specifies six steps that must be completed after the firmware update: deleting the existing LDAP configuration that uses userPrincipalName, removing locally cached LDAP users, removing the configured SSL VPN "User Domain," rebooting the firewall, recreating the LDAP configuration without userPrincipalName, and creating a fresh backup to prevent the vulnerable configuration from being restored later.
Organizations that completed the firmware update but skipped these steps remained fully exploitable. In all intrusions ReliaQuest investigated, the devices showed as patched in vulnerability management dashboards.
ReliaQuest draws a direct parallel to CVE-2023-4966, known as Citrix Bleed, in which post-patch configuration requirements were similarly missed at scale, leaving thousands of organizations exposed after believing they had remediated the vulnerability.
What Attackers Did in Under 30 Minutes
The attack sequence ReliaQuest observed was consistent across multiple environments. Attackers used automated tooling to brute-force VPN credentials, requiring as few as 13 attempts before landing a valid account. Once inside, they conducted network reconnaissance, tested credential reuse across internal systems, and staged ransomware-related tooling — the entire sequence completing within 30 to 60 minutes.
The bypass produces no failed-authentication alerts and no anomalous flags in security logs. Log entries show what appears to be a successful, legitimate MFA event, because MFA was configured and the one-time password challenge was issued — the authentication just succeeded without the user providing one. From a defender's perspective watching authentication logs, there is nothing to see.
The only forensic signal ReliaQuest identified was a sess="CLI" value in VPN authentication logs, which indicates scripted or automated authentication. Legitimate user logins do not produce this value. The researchers also flagged event IDs 238 and 1080 in SonicWall authentication logs as consistent indicators across all investigated incidents, along with VPN logins originating from virtual private server or anonymizing infrastructure.
ReliaQuest assesses the threat actor with medium confidence as an access broker — an actor whose business model involves selling verified network access to ransomware operators rather than deploying ransomware directly. Behavioral patterns observed in one intrusion — deliberate logout followed by a return days later using different accounts — are consistent with a broker assessing victim network value before sale.
Tooling observed during the intrusions was consistent with groups operating in the ransomware ecosystem, including Akira, a group that has made targeting SonicWall appliances a documented business practice. According to the At-Bay 2026 InsurSec Report, based on analysis of more than 6,500 claims, Akira accounted for more than 40% of ransomware claims in At-Bay's portfolio, and SonicWall appliances were present in 86% of Akira attacks.
Gen6 End-of-Life Closes Remediation Window
SonicWall Gen6 SSL-VPN appliances reached end-of-life on April 16, 2026. The vendor will issue no further security updates for the device class. Organizations still running Gen6 hardware have no patch-based path forward for future vulnerabilities — only migration to Gen7 or Gen8.
For the current CVE-2024-12802 exposure, the firmware update SonicWall issued in 2025 remains the necessary first step on Gen6. But the end-of-life status means organizations should treat completing the six LDAP remediation steps as an immediate priority rather than deferred maintenance, and should treat Gen6 hardware itself as a migration target rather than a long-term asset.
SonicWall has since published an automation script for SNWLID-2025-0001 that executes the six remediation steps via SonicOS API or SSH.
SonicWall's Track Record With Incomplete Disclosures
The severity scoring gap in CVE-2024-12802 is not the first accountability question SonicWall has faced over its handling of vulnerability disclosures.
In February 2026, Marquis Software Solutions — a Texas-based fintech firm serving more than 700 banks, credit unions, and mortgage lenders — filed suit in U.S. District Court against SonicWall, accusing the company of gross negligence over a 2025 breach of its MySonicWall cloud backup service. Attackers used firewall configuration data stolen from SonicWall's cloud storage — including emergency passcodes and MFA scratch codes left unencrypted — to bypass Marquis's own security controls and deploy ransomware on August 14, 2025. The attack disrupted operations at 74 U.S. banks and exposed personal data — including Social Security numbers and financial account information — belonging to more than 400,000 individuals. Marquis is now defending more than 36 consumer class action lawsuits as a result.
The Marquis complaint specifically alleged that SonicWall "had reason to know that using predictable device serial numbers created a foreseeable vulnerability" and failed to encrypt sensitive elements of customer configuration files.
SonicWall did not immediately respond to requests for comment on the CVE-2024-12802 severity rating discrepancy or on the ReliaQuest report.
What Security Teams Should Do Now
For organizations running SonicWall Gen6 SSL-VPN appliances, ReliaQuest recommends treating any prior firmware version check as insufficient confirmation of remediation. Security teams should verify explicitly that all six LDAP remediation steps from advisory SNWLID-2025-0001 were completed, since firmware version alone does not confirm this. Adding sess="CLI" as a high-priority alert condition in VPN authentication log monitoring is essential, as is watching for event IDs 238 and 1080. Auditing VPN account privileges and reducing standing access limits the blast radius of any successful bypass. Any absence of failed-authentication alerts should be treated as neutral, not as evidence that MFA is functioning correctly. Organizations should also begin planning migration to Gen7 or Gen8 hardware given Gen6's end-of-life status.
Organizations that have not completed the six manual steps remain fully exposed to CVE-2024-12802 regardless of what their patch-management dashboard reports.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
