cbcvebase.
CVE-2024-12802
published 2025-01-09

CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account…

PriorityP185critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.46%
36.5th percentile
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.

Affected

6 ranges
VendorProductVersion rangeFixed in
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos
sonicwallsonicos

Detection & IOCsextracted from sources · hover to see the quote

otherEvent ID 238
otherEvent ID 1080
  • Alert on SonicWall event IDs 238 and 1080 in authentication logs as strong indicators of CVE-2024-12802 MFA bypass activity.
  • Flag VPN logins originating from VPS/hosting provider ASNs, especially during off-hours or with abnormally long session durations (40–60 hours), as indicators of attacker-controlled infrastructure.
  • MFA bypass via CVE-2024-12802 still appears as a normal MFA flow in logs — do not rely solely on failed MFA alerts; correlate with sess="CLI" and event IDs 238/1080.
  • Monitor for rapid post-VPN-login lateral movement: RDP connections using shared local administrator passwords to domain-joined file servers within 30 minutes of VPN session establishment.
  • Detect BYOVD attempts (vulnerable driver load) and Cobalt Strike beacon deployment immediately following VPN authentication as post-exploitation staging indicators.
  • Audit for SSLVPN local accounts with usernames containing non-printable characters, which is a strong indicator of automated account creation by exploitation tooling.
  • Identify stale local SSLVPN accounts that do not exist in Active Directory — these are prime targets for credential-based exploitation and were found on 12 of 14 audited firewalls.
  • ·On Gen6 SonicWall devices, applying the firmware update alone does NOT fully mitigate CVE-2024-12802. Six manual LDAP reconfiguration steps are required: delete the existing LDAP config using userPrincipalName in 'Qualified login name', remove locally cached/listed LDAP users, remove the configured SSL VPN 'User Domain', reboot the firewall, recreate the LDAP configuration without userPrincipalName, and create a fresh backup.
  • ·On Gen7 and Gen8 devices, updating to the newer firmware version is sufficient to fully remediate CVE-2024-12802.
  • ·Restoring a pre-remediation configuration backup on a Gen6 device will re-introduce the vulnerable LDAP configuration; a fresh backup must be created after completing all remediation steps.
  • ·The SonicWall Default LDAP User Group setting grants additive group membership to all LDAP-authenticated users; if mapped to a group with SSLVPN access, every valid AD account can connect to the VPN regardless of intended permissions.
  • ·The SonicWall Virtual Office Portal (MFA/TOTP enrollment interface) exposed to the internet allows an attacker with valid credentials to self-enroll their own TOTP device, fully bypassing MFA without breaking it.
  • ·Gen6 SonicWall devices reached end-of-life on April 16, 2026 and will receive no further firmware or security updates, leaving CVE-2024-12802 permanently unpatched on unmitigated Gen6 devices.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.