Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sonicwall (2 articles)Clear

SonicWall Gen6 SSL-VPN MFA bypass (CVE-2024-12802) actively exploited - firmware patch alone insufficient, LDAP reconfiguration required

ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.

Check
Inventory SonicWall Gen6 SSL-VPN appliances and confirm the LDAP reconfiguration was done after the firmware patch. Search VPN logs for 30-60 minute logins from new IPs in the last 90 days.
Affected
SonicWall Gen6 SSL-VPN devices running patched firmware but with LDAP still configured to use userPrincipalName in the 'Qualified login name' field. Gen7 and Gen8 are patched by firmware alone.
Fix
On Gen6: delete the existing LDAP config, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, then rebuild LDAP without userPrincipalName per SonicWall's advisory.

SonicWall patches three SonicOS firewall flaws after CrowdStrike disclosed them - the worst lets attackers reach the management interface without logging in (CVE-2026-0204)

SonicWall released emergency firmware updates for Gen 6, Gen 7, and Gen 8 firewalls after CrowdStrike's research team disclosed three SonicOS flaws on April 29. The worst is CVE-2026-0204 (CVSS 8.0), a weak authentication bug in the management interface that lets an attacker on an adjacent network reach management functions without logging in - and from there change firewall rules, disable security protections, or open new holes. The other two are post-authentication: CVE-2026-0205 is a path traversal that breaks out of restricted directories, and CVE-2026-0206 is a buffer overflow that crashes the firewall. No public exploits yet.

Check
Patch every SonicWall Gen 6, Gen 7, and Gen 8 firewall to the latest firmware today, and confirm no SonicWall management interface or SSL-VPN is reachable from the public internet.
Affected
Gen 6 firewalls (TZ 300/400/500/600, NSA, SM, SOHO) running 6.5.5.1-6n or older. Gen 7 firewalls and NSv (TZ270-TZ670, NSa 2700-6700, NSsp, NSv on ESX/KVM/Hyper-V/AWS/Azure) running 7.0.1-5169 or 7.3.1-7013 or older. Gen 8 (TZ80-TZ680, NSa 2800-5800) running 8.1.0-8017 or older.
Fix
Upgrade to Gen 8 firmware 8.2.0-8009, Gen 7 firmware 7.3.2-7010, or Gen 6 6.5.5.2-28n. Until patched, disable HTTP and HTTPS firewall management on all interfaces, disable SSL-VPN, and restrict management to SSH only from trusted IPs. Take a full configuration backup before upgrading Gen 6 - downgrading from 6.5.5.2-28n deletes all LDAP users and resets MFA.