ReliaQuest reported the first known in-the-wild exploitation of CVE-2024-12802 against SonicWall SSL VPN appliances, where Gen6 devices remained vulnerable after patching unless six manual reconfiguration steps were completed. Attackers used scripted brute force, silently bypassed MFA, and in one case reached a file server and attempted pre-ransomware tooling within 30 minutes. #CVE-2024-12802 #SonicWall #ReliaQuest #Akira
Keypoints
- CVE-2024-12802 is an authentication bypass affecting SonicWall SSL VPN appliances, especially Gen6 devices.
- On Gen6, the firmware patch alone is not sufficient; six additional manual reconfiguration steps are required for full remediation.
- ReliaQuest assessed with medium confidence that it observed the first known in-the-wild exploitation of this vulnerability between February and March 2026.
- Attackers used automated brute-forcing against VPN credentials and bypassed MFA without triggering obvious failed-login or anomalous-login alerts.
- In one intrusion, the threat actor reached an internal file server in about 30 minutes and attempted to deploy Cobalt Strike and a BYOVD driver to disable endpoint protection.
- A key detection signal is the SonicWall authentication log session type sess=âCLI,â especially when it transitions to GMS after successful login.
- ReliaQuest recommends verifying all Gen6 remediation steps, monitoring VPN logs for scripted authentication, blocking vulnerable drivers, and tightening VPN account privileges.
MITRE Techniques
- [T1110.001] Password Guessing â Attackers brute-forced VPN accounts until they found valid credentials [âauthentication attempts arrived in rapid successionâ and âas few as 13 brute-force attempts separated an attacker from a valid credentialâ]
- [T1078] Valid Accounts â Compromised VPN credentials were used to authenticate as legitimate users and access internal systems [âauthentication succeeded without oneâ and âgain access as a legitimate userâ]
- [T1021.001] Remote Desktop Protocol â The threat actor pivoted to a file server and established an RDP session using shared local admin credentials [âthey reached a domain-joined file server and established a Remote Desktop Protocol (RDP) sessionâ]
- [T1018] Remote System Discovery â The actor swept the internal network after initial access to identify accessible systems [âsweeping the internal networkâ and âassess the networkâ]
- [T1003] OS Credential Dumping â The attacker tested credential reuse and looked for credentials on the file server to move deeper into the environment [âtesting credential reuse against internal systemsâ and âfile servers frequently contain ⌠embedded credentialsâ]
- [T1219] Remote Access Software â Cobalt Strike was deployed as a post-exploitation framework for command-and-control and follow-on activity [âattempted to deploy a Cobalt Strike beaconâ]
- [T1068] Exploitation for Privilege Escalation â BYOVD was used in an attempt to gain kernel-level access and disable security controls [âexploit it to gain kernel-level access and disable security toolsâ]
- [T1562.001] Disable or Modify Tools â The BYOVD attempt targeted endpoint protection to blind EDR and allow payload execution [âEDR killersâ and âdisable endpoint protectionâ]
- [T1218] System Binary Proxy Execution â The attacker used Notepad to manually review files, which can blend into normal activity and evade detection [âmanually reviewing files on the server with Notepadâ]
- [T1095] Non-Application Layer Protocol â The SonicWall logs showed scripted VPN authentication behavior over the VPN authentication channel [âsess=âCLIâ indicates scripted or automated VPN authenticationâ]
Indicators of Compromise
- [IP addresses] Source infrastructure and interactive-login endpoints â 69.10.60[.]250, 193.160.216[.]221
- [File hashes] Artifacts linked to the campaign, including an EDR-disabling executable and a malicious file â 6a6aaeed4a6bbe82a08d197f5d40c259, b31f5a27ab615d2b48a690b227775b710, and 2 more hashes
- [File names] Named malicious artifact observed in the intrusion â Malicious file observed
- [Session/log indicators] SonicWall authentication log values associated with automated login activity â sess=âCLIâ, GMS
- [Event IDs] SonicWall log events used to correlate failed and successful VPN logins â Event ID 238, Event ID 1080
Read more: https://reliaquest.com/blog/threat-spotlight-vpn-exploitation-when-patched-doesnt-mean-protected/