The firmware update no longer guarantees protection against hacking.
ReliaQuest found that the attackers hacked already updated SonicWall SSL VPN devices, because one new version of the firmware was not enough. On some models, administrators must manually change the settings, otherwise the device looks secure, but remains vulnerable.
According to ReliaQuest, attacks on CVE-2024-12802 (assessment on CVSS: 9.4) affected several organizations in February and March 2026. Experts believe that before them, with a moderate degree of confidence, the first known cases of exploitation of vulnerability in real attacks. The problem allows you to bypass multi-factor authentication on SonicWall SSL VPN devices and actually reduces protection to one password.
The vulnerability was revealed in early 2025. SonicWall has released a fix, but for devices of the sixth generation, Gen6, the firmware update is not enough. Administrators need to follow six more manual steps related to the LDAP reconfiguration. Without these actions, the old configuration is retained, and attackers can use the username format, through which multi-factor authentication does not work as it should.
The problem is especially dangerous because the test is almost imperceptible. In SonicWall magazines, experts saw a single-time password request, that is, multifactorial authentication was enabled. At the same time, the entrance was still completed successfully without the input of such a password. For defenders, such an input looked like the usual authorization of a legitimate user.
In the attacks, the attackers selected credentials to the VPN using automated tools. In one case, they only had 13 attempts to find a working pair of login and password. After entering, they quickly checked the internal network, tried the same credentials on other systems and sometimes came out after 30-60 minutes, leaving no obvious traces of hacking.
In one of the incidents investigated, the attack developed much faster. Approximately 30 minutes after entering through a VPN, the attacker connected to the file server over the remote desktop protocol, using the shared password of the local administrator. He then tried to run the Cobalt Strike beacon and apply a vulnerable signed driver to disable the protection at the endpoint. The protective agent blocked both attempts.
After the block, the attacker switched to a manual search for files through the “Notepad”. Such a reception may not cause alarms, because opening documents on the file server looks like the usual user experience. Such servers often store scripts, configuration files, and password documentation, so even one found secret can give the attacker a new path to the network.
ReliaQuest links the used tools and sequence of actions with a typical preparation for ransomware attacks. There are no direct attribution, but similar techniques used previously used groups associated with extortion software, including Akira.
A separate sign of the attack was found in SonicWall magazines. All attempts to select passwords were accompanied by a ses="CLI session type." This type indicates automated authorization, not the usual interactive user input. After a successful entrance, experts saw the transition to ses="GMS, which could mean connection to internal resources.
SonicWall administrators are recommended to check not only the firmware version, but also all six manual steps from the SNWLID-2025-0001 bulletin for Gen6 devices. You also need to enable the forwarding of SonicWall authentication logs in the security management system, track ses="CLI", check the rights of VPN accounts and remove the reuse of local administrative passwords.
Gen6 devices reached the end of support on April 16, 2026, but such models can still work in companies, especially in small and medium-sized businesses. ReliaQuest expects attacks on CVE-2024-12802 and similar vulnerabilities in the bypass of VPN authentication will continue during 2026.
ReliaQuest found that the attackers hacked already updated SonicWall SSL VPN devices, because one new version of the firmware was not enough. On some models, administrators must manually change the settings, otherwise the device looks secure, but remains vulnerable.
According to ReliaQuest, attacks on CVE-2024-12802 (assessment on CVSS: 9.4) affected several organizations in February and March 2026. Experts believe that before them, with a moderate degree of confidence, the first known cases of exploitation of vulnerability in real attacks. The problem allows you to bypass multi-factor authentication on SonicWall SSL VPN devices and actually reduces protection to one password.
The vulnerability was revealed in early 2025. SonicWall has released a fix, but for devices of the sixth generation, Gen6, the firmware update is not enough. Administrators need to follow six more manual steps related to the LDAP reconfiguration. Without these actions, the old configuration is retained, and attackers can use the username format, through which multi-factor authentication does not work as it should.
The problem is especially dangerous because the test is almost imperceptible. In SonicWall magazines, experts saw a single-time password request, that is, multifactorial authentication was enabled. At the same time, the entrance was still completed successfully without the input of such a password. For defenders, such an input looked like the usual authorization of a legitimate user.
In the attacks, the attackers selected credentials to the VPN using automated tools. In one case, they only had 13 attempts to find a working pair of login and password. After entering, they quickly checked the internal network, tried the same credentials on other systems and sometimes came out after 30-60 minutes, leaving no obvious traces of hacking.
In one of the incidents investigated, the attack developed much faster. Approximately 30 minutes after entering through a VPN, the attacker connected to the file server over the remote desktop protocol, using the shared password of the local administrator. He then tried to run the Cobalt Strike beacon and apply a vulnerable signed driver to disable the protection at the endpoint. The protective agent blocked both attempts.
After the block, the attacker switched to a manual search for files through the “Notepad”. Such a reception may not cause alarms, because opening documents on the file server looks like the usual user experience. Such servers often store scripts, configuration files, and password documentation, so even one found secret can give the attacker a new path to the network.
ReliaQuest links the used tools and sequence of actions with a typical preparation for ransomware attacks. There are no direct attribution, but similar techniques used previously used groups associated with extortion software, including Akira.
A separate sign of the attack was found in SonicWall magazines. All attempts to select passwords were accompanied by a ses="CLI session type." This type indicates automated authorization, not the usual interactive user input. After a successful entrance, experts saw the transition to ses="GMS, which could mean connection to internal resources.
SonicWall administrators are recommended to check not only the firmware version, but also all six manual steps from the SNWLID-2025-0001 bulletin for Gen6 devices. You also need to enable the forwarding of SonicWall authentication logs in the security management system, track ses="CLI", check the rights of VPN accounts and remove the reuse of local administrative passwords.
Gen6 devices reached the end of support on April 16, 2026, but such models can still work in companies, especially in small and medium-sized businesses. ReliaQuest expects attacks on CVE-2024-12802 and similar vulnerabilities in the bypass of VPN authentication will continue during 2026.