Hackers Exploit Hidden SonicWall VPN Flaw to Bypass MFA Silently

Forensic analysts at ReliaQuest have determined that threat actors are successfully compromising fully patched SonicWall SSL VPN appliances, revealing that the mere deployment of an upstream firmware update is fundamentally insufficient to guarantee security. On specific hardware models, administrators must manually recalibrate internal configuration parameters; absent these deliberate interventions, the appliance deceptively mirrors a hardened state while remaining fully exposed to external exploitation.

According to telemetry compiled by ReliaQuest, targeted exploitation of CVE-2024-12802 (boasting a CVSS severity metric of 9.4) severely impacted multiple enterprise networks throughout February and March 2026. Investigators assert with a moderate degree of confidence that these incidents constitute the inaugural documented instances of this specific vulnerability being weaponized in wild, live-fire attacks. The underlying defect facilitates the comprehensive subversion of multi-factor authentication (MFA) primitives on SonicWall SSL VPN gateways, effectively degrading the identity perimeter back to a single, easily harvestable static password layer.

Although the flaw was initially disclosed in early 2025 alongside a corresponding vendor patch, sixth-generation (Gen6) security appliances inherit an incomplete remediation from the baseline firmware update alone. To permanently close the vulnerability vector, system administrators must meticulously execute an additional six-stage manual remediation protocol governing the orchestration of the LDAP configuration tree. If these actions are omitted, the legacy initialization profile persists, allowing adversaries to structure specific username formats that programmatically disrupt and bypass standard MFA validation routines.

The primary hazard of this exploit topology resides in its extreme forensic transparency during execution. ReliaQuest observed that internal SonicWall authentication ledgers recorded standard requests for Time-based One-Time Passwords (TOTP), confirming that multi-factor authentication constraints were actively enforced by policy. Remarkably, the malicious session initiation completed successfully without the ingestion of the required secondary token. To network defenders and automated security information tools, this anomalous ingress appeared entirely indistinguishable from a legitimate, baseline user authentication sequence.

Throughout these campaigns, the adversaries leveraged automated dictionary-testing scripts to brute-force active VPN access points. In a definitive demonstration of efficiency, a threat group required a mere thirteen attempts to isolate a valid credential pair. Upon completing the authenticated handshake, the actors executed rapid internal reconnaissance, tested the harvested credentials laterally across adjacent server segments, and occasionally dissolved the connection within thirty to sixty minutes, leaving negligible trace of the underlying perimeter compromise.

In a separate forensically investigated incident, the adversarial lifecycle accelerated dramatically. Within approximately thirty minutes of establishing the initial VPN tunnel, the interloper leveraged a ubiquitous local administrator credential to pivot to a high-value file repository via the Remote Desktop Protocol (RDP). Once positioned, the adversary attempted to initialize a Cobalt Strike beacon payload and deploy a vulnerable, cryptographically signed kernel driver to execute a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at completely blinding the endpoint detection and response (EDR) agent. Fortunately, the resident endpoint security suite successfully blocked both execution steps.

Following this programmatic containment, the threat actor shifted tactics to native, manual file reconnaissance utilizing the benign Notepad.exe utility. This behavioral pivot is highly calculating, as parsing document structures on a file server mimics routine administrative workflows, effectively evading traditional heuristic anomaly detection. Such repositories routinely host internal deployment scripts, environment configuration files, and plaintext credential ledgers; consequently, the isolation of a singular hidden secret can provide an adversary with an unhindered secondary attack path deeper into the enterprise topology.

ReliaQuest correlates the specific toolsets and sequential execution patterns observed with the classic staging phases characterizing ransomware distribution operations. While absolute, mathematically certain attribution is currently withheld, the operational mechanics mirror historical methodologies pioneered by prominent ransomware syndicates, most notably Akira.

A distinct behavioral indicator was isolated natively within the SonicWall connection logs. Every discrete brute-force authentication sequence was accompanied by an explicit metadata tag designating the session type as sess="CLI". This specific parameter denotes automated script-driven interaction rather than interactive, human-in-the-loop portal utilization. Conversely, upon a successful authentication event, analysts documented an immediate transitional migration to sess="GMS", a state heavily indicative of automated down-line connectivity into internal corporate architecture.

SonicWall administrators are urgently advised to verify not merely the absolute firmware version of their fleet, but to explicitly validate the completion of the six manual remediation steps codified under the SNWLID-2025-0001 advisory for all active Gen6 physical appliances. Furthermore, organizations must mandate the immediate forwarding of rich SonicWall authentication logs to a centralized security orchestration repository, actively alert upon the appearance of sess="CLI" parameters, systematically audit the permission boundaries of all active VPN identities, and aggressively eliminate the reuse of local administrative credentials across the enterprise infrastructure.

Although Gen6 hardware officially crossed its definitive End-of-Support (EOS) threshold on April 16, 2026, these specific legacy platforms remain heavily deployed globally, maintaining a significant footprint within small-to-medium enterprise (SME) architectures. ReliaQuest anticipates that targeted exploitation campaigns focusing on CVE-2024-12802 and conceptually aligned VPN authentication bypass mechanisms will persist as an existential threat vector throughout the remainder of 2026.