← All articles

SonicWall Gen6 SSL-VPN MFA bypass (CVE-2024-12802) actively exploited - firmware patch alone insufficient, LDAP reconfiguration required

ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.

Check
Inventory SonicWall Gen6 SSL-VPN appliances and confirm the LDAP reconfiguration was done after the firmware patch. Search VPN logs for 30-60 minute logins from new IPs in the last 90 days.
Affected
SonicWall Gen6 SSL-VPN devices running patched firmware but with LDAP still configured to use userPrincipalName in the 'Qualified login name' field. Gen7 and Gen8 are patched by firmware alone.
Fix
On Gen6: delete the existing LDAP config, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, then rebuild LDAP without userPrincipalName per SonicWall's advisory.