CVE-2024-12802
published 2025-01-09CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account…
PriorityP185critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.46%
36.5th percentile
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on SonicWall event IDs 238 and 1080 in authentication logs as strong indicators of CVE-2024-12802 MFA bypass activity. ↗
- →Flag VPN logins originating from VPS/hosting provider ASNs, especially during off-hours or with abnormally long session durations (40–60 hours), as indicators of attacker-controlled infrastructure. ↗
- →MFA bypass via CVE-2024-12802 still appears as a normal MFA flow in logs — do not rely solely on failed MFA alerts; correlate with sess="CLI" and event IDs 238/1080. ↗
- →Monitor for rapid post-VPN-login lateral movement: RDP connections using shared local administrator passwords to domain-joined file servers within 30 minutes of VPN session establishment. ↗
- →Detect BYOVD attempts (vulnerable driver load) and Cobalt Strike beacon deployment immediately following VPN authentication as post-exploitation staging indicators. ↗
- →Audit for SSLVPN local accounts with usernames containing non-printable characters, which is a strong indicator of automated account creation by exploitation tooling. ↗
- →Identify stale local SSLVPN accounts that do not exist in Active Directory — these are prime targets for credential-based exploitation and were found on 12 of 14 audited firewalls. ↗
- ·On Gen6 SonicWall devices, applying the firmware update alone does NOT fully mitigate CVE-2024-12802. Six manual LDAP reconfiguration steps are required: delete the existing LDAP config using userPrincipalName in 'Qualified login name', remove locally cached/listed LDAP users, remove the configured SSL VPN 'User Domain', reboot the firewall, recreate the LDAP configuration without userPrincipalName, and create a fresh backup. ↗
- ·On Gen7 and Gen8 devices, updating to the newer firmware version is sufficient to fully remediate CVE-2024-12802. ↗
- ·Restoring a pre-remediation configuration backup on a Gen6 device will re-introduce the vulnerable LDAP configuration; a fresh backup must be created after completing all remediation steps. ↗
- ·The SonicWall Default LDAP User Group setting grants additive group membership to all LDAP-authenticated users; if mapped to a group with SSLVPN access, every valid AD account can connect to the VPN regardless of intended permissions. ↗
- ·The SonicWall Virtual Office Portal (MFA/TOTP enrollment interface) exposed to the internet allows an attacker with valid credentials to self-enroll their own TOTP device, fully bypassing MFA without breaking it. ↗
- ·Gen6 SonicWall devices reached end-of-life on April 16, 2026 and will receive no further firmware or security updates, leaving CVE-2024-12802 permanently unpatched on unmitigated Gen6 devices. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ff32-cmvq-x6c5: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun
ghsa_unreviewed·2025-01-09
CVE-2024-12802 [CRITICAL] CWE-305 GHSA-ff32-cmvq-x6c5: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
VulnCheck
SonicWall sonicos Authentication Bypass by Primary Weakness
vulncheck·2024·CVSS 9.1
CVE-2024-12802 [CRITICAL] SonicWall sonicos Authentication Bypass by Primary Weakness
SonicWall sonicos Authentication Bypass by Primary Weakness
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
Affected: SonicWall SonicOS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://reliaquest.com/blog/threat-spotlight-vpn-exploitation-when-patched-doesnt-mean-protected/
SonicWall
CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun
vendor_sonicwall·2025-01-09·CVSS 9.1
CVE-2024-12802 [CRITICAL] CWE-305 CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun
CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.
No detection rules found.
No public exploits indexed.
Sans Isc
CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
blogs_sans_isc·2026-06-23·CVSS 9.8
CVE-2024-40766 [CRITICAL] CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration., (Tue, Jun 23rd)
CVE-2024-40766: The Patch Fixed the Bug. Nobody Fixed the Configuration.
Published: 2026-06-23. Last Updated: 2026-06-23 03:02:34 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)
The vulnerability
In August 2024 SonicWall published advisory SNWLID-2024-0015 for CVE-2024-40766. It is an improper access control vulnerability in SonicOS. CVSS 9.3. It affects the management interface and the SSLVPN service on Gen 5, Gen 6 and Gen 7 firewalls. Each generation has its own affected firmware range: Gen 5 running SonicOS 5.9.2.14-12o and older, Gen 6 running 6.5.4.14-109n and older, and Gen 7 running SonicOS 7.0.1-5035 and older. Successful exploitation lets an attacker gain unauthorized access to the firewall. Under certain conditions it crashes the device entirely.
The scope
Bleepingcomputer
Hackers bypass SonicWall VPN MFA due to incomplete patching
blogs_bleepingcomputer·2026-05-20·CVSS 9.1
CVE-2024-12802 [CRITICAL] Hackers bypass SonicWall VPN MFA due to incomplete patching
## Hackers bypass SonicWall VPN MFA due to incomplete patching
## Bill Toulas
Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks.
During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out.
SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
Researchers at cybersecurity company ReliaQuest responded to multiple intrusions between Feb
2025-01-09
Published
Exploited in the wild