CVE-2024-12802Authentication Bypass by Primary Weakness in Sonicos

CWE-305Authentication Bypass by Primary Weakness3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 81.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sonicwall Sonicos
Timeline
PublishedJan 9

Description

SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

CVEListV5sonicwall/sonicos6 versions+5

🔴Vulnerability Details

2
GHSA
GHSA-ff32-cmvq-x6c5: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun2025-01-09
CVEList
CVE-2024-12802: SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Accoun2025-01-09
CVE-2024-12802 — Sonicwall Sonicos vulnerability | cvebase