Hackers bypass SonicWall VPN MFA due to incomplete patching

ReliaQuest observed in-the-wild exploitation of CVE-2024-12802 against SonicWall Gen6 SSL‑VPN appliances that permits MFA to be bypassed when UPN is used for login. Despite devices appearing patched at the firmware level, many remained vulnerable because required LDAP reconfiguration steps were not completed; attackers used brute-force/scripted logins to gain access, attempted to deploy Cobalt Strike and a vulnerable driver (BYOVD), moved laterally (RDP to domain servers), and likely acted as initial-access brokers. Researchers recommend applying vendor remediation (firmware plus LDAP reconfiguration), monitoring for sess="CLI" and specific event IDs, removing cached LDAP users, and migrating off end‑of‑life Gen6 appliances.