Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix

ReliaQuest observed active exploitation of SonicWall CVE-2024-12802 on Gen6 SSL-VPN appliances where firmware updates alone are insufficient: six manual LDAP reconfiguration steps are required to prevent an MFA bypass that lets attackers authenticate via UPN while MFA is enforced on SAM. Attackers brute-forced VPN accounts, bypassed MFA, moved quickly to file servers (sometimes within 30 minutes), attempted Cobalt Strike deployment and driver-based EDR disabling, and left log signals such as sess="CLI" and Event IDs 238/1080; Gen6 devices are end-of-life so migration to supported hardware is recommended.