ReliaQuest warns of SonicWall MFA bypass after patching

ReliaQuest said it had identified what it assesses with medium confidence to be the first known in-the-wild exploitation of CVE-2024-12802 on SonicWall devices. The activity affected multiple environments.

The vulnerability lets attackers bypass multi-factor authentication on SonicWall SSL VPN appliances, reducing access controls to single-factor authentication. In incidents ReliaQuest investigated, some systems appeared patched but remained exposed because certain Gen6 devices required six additional manual configuration steps after a firmware update.

The finding points to a wider problem for companies that treat a software or firmware version check as proof that remediation is complete. In this case, standard patch-management processes could mark a device as fixed even though the vulnerable configuration remained in place.

CVE-2024-12802 was disclosed in early 2025. According to ReliaQuest, attackers exploited the flaw across several environments between February and March 2026 by brute-forcing VPN credentials with automated tools and then logging in without triggering the failed MFA warning defenders would typically expect.

According to the report, Gen7 and newer SonicWall devices are fully remediated by the firmware patch alone, while Gen6 hardware requires additional changes to Lightweight Directory Access Protocol settings. The issue stems from how MFA is enforced across two login formats used in Active Directory environments: user principal names and Security Account Manager account names.

If MFA is configured for one path but not the other, an attacker can log in through the unprotected format as a legitimate user. ReliaQuest's log analysis showed SonicWall appliances issued a one-time password request during malicious authentication attempts, but access still succeeded without the code being supplied.

Attack pattern

The intrusions ReliaQuest observed followed a tight sequence. Attackers brute-forced VPN accounts, checked internal network access, tested whether stolen credentials worked elsewhere, and often logged out within 30 to 60 minutes.

In some cases, the barrier to entry was low. One successful compromise took only 13 login attempts before the attacker found valid credentials.

One investigated intrusion went further. Within 30 minutes of the initial VPN login, the attacker reached a domain-joined file server and opened a Remote Desktop Protocol session using a shared local administrator password.

The attacker then tried to deploy a Cobalt Strike beacon and use a vulnerable signed driver to disable endpoint protection. Endpoint detection tools blocked both attempts, after which the attacker began manually reviewing files on the server with Notepad.

The tools and sequence were consistent with activity commonly seen before ransomware deployment, although ReliaQuest did not attribute the incident to a specific group. It said the tactics matched patterns previously associated with ransomware-linked actors including Akira.

Detection gap

A central part of the report focuses on a log signal that may give defenders earlier warning. ReliaQuest said every brute-force attempt it observed used the session type sess="CLI" in SonicWall authentication logs, indicating scripted or automated VPN authentication rather than a normal interactive user session.

After successful access, the session type changed to sess="GMS". ReliaQuest described that shift as a key indicator that automated credential testing had turned into direct activity on internal systems.

Many organisations are unlikely to be monitoring for that field today, the report said. ReliaQuest advised security teams to include the sess="CLI" value in VPN log monitoring and correlate it with Event ID 238 for failed VPN logins or Event ID 1080 for successful SSL VPN zone logins.

The report also said defenders should first determine whether any legitimate command-line VPN authentication exists in their environment before treating all sess="CLI" events as malicious. In organisations where no such use is authorised, any appearance of the session type should be treated as a strong warning sign.

Remediation steps

Beyond logging changes, ReliaQuest urged organisations using Gen6 devices to verify that all six manual remediation steps have been completed rather than relying on firmware version alone. It also recommended auditing VPN account privileges, restricting direct access from non-domain-joined devices to sensitive server tiers, and rotating local administrator passwords so each machine has unique credentials.

The issue is not unique to one vendor, ReliaQuest said. It compared the situation with earlier edge-device vulnerabilities that required manual follow-up actions after patching, arguing that many patch-management workflows still struggle to distinguish between a system that is updated and one that is actually secure.

Gen6 SonicWall devices have now reached end-of-life, which ReliaQuest said could increase the risk that vulnerable systems remain in use. It added that such devices are still common in production environments, especially at small and medium-sized businesses and in networks assembled through mergers and acquisitions.

"The central finding of this investigation is simple: Patching doesn't always equal remediation, and that gap has implications well beyond SonicWall," ReliaQuest said.