VPN Exploitation When Patched Doesn't Mean Protected

ReliaQuest observed medium-confidence, in-the-wild exploitation of CVE-2024-12802 on SonicWall Gen6 SSL VPN appliances where attackers bypassed MFA by authenticating via an unprotected login format; automated brute-force attempts (sess="CLI") led to rapid lateral access in some cases (one escalation reached a file server within ~30–40 minutes and attempted Cobalt Strike and BYOVD), while remediation on Gen6 requires six manual LDAP reconfiguration steps beyond the firmware patch—leaving many devices falsely marked as patched and vulnerable.