SonicWall patched CVE-2024-12802 and left the bug in place on Gen6

The SonicWall Gen6 appliance in your rack is running patched firmware and is still bypassable. SonicWall scored the underlying CVE 6.5 Medium, which is how a configuration-not-rewritten failure mode got handled as routine patch-cycle maintenance for sixteen months.

CVE-2024-12802 is an SSL-VPN MFA bypass on SonicOS appliances integrated with Active Directory, disclosed under SonicWall advisory SNWLID-2025-0001 in January 2025. The vulnerable code path is straightforward: SonicOS treated User Principal Name ([email protected]) and SAM Account Name (DOMAIN\username) authentication as two separate paths against two distinct Active Directory attributes, per the GitHub Advisory Database entry. MFA enforcement was applied per-path rather than per-identity. An admin who configured MFA against the SAM path could leave the UPN path unenforced, and an attacker with valid credentials would present the UPN form and walk in without a second-factor challenge.

The firmware fix closed the code path. It did not touch the LDAP configuration object already sitting in the device’s database, which is the artifact the exploit actually relies on.

What the patch does not do

The patch hardens SonicOS so that new LDAP configurations cannot be created in the vulnerable state. The pre-existing LDAP binding on a patched Gen6 device retains its original userPrincipalName attribute mapping, because the firmware update changes the binary and leaves the running configuration alone. On Gen7 and Gen8 firmware 7.2.0-7015 and 8.0.1-8017 and later, the upgrade rebuilds LDAP and auth configuration from scratch, so the firmware update alone is sufficient. Gen6’s upgrade path does not rebuild anything. The old config persists, and the old config is the bug.

This is why SonicWall’s support notice specifies six post-firmware steps, in order: delete the existing LDAP server configuration that uses userPrincipalName in the Qualified Login Name field, remove locally cached LDAP users imported under that configuration, remove the SSL VPN User Domain mapped to the primary LDAP domain, reboot the firewall, recreate the LDAP configuration using sAMAccountName, and take a fresh backup that you must never overwrite with a pre-remediation snapshot. Skip any of the six and the device shows “patched” in every scanner you own and is still fully exploitable.

SonicWall did publish an official automation script in its sonicos-automation GitHub repository that runs the six steps. On Gen6 it falls back to SSH to toggle the REST API on before issuing POST requests to the older user/ldap/server endpoint, because the Gen6 API surface diverges from Gen7 and Gen8. The script ships “as-is” and is explicitly scoped outside formal technical support. It is the right idea. It arrived after the exploitation window opened.

The 6.5 versus 9.1 problem

SonicWall PSIRT scored CVE-2024-12802 at 6.5 Medium. CISA’s Authorized Data Publisher independently scored it 9.1 Critical, per the GitHub Advisory Database entry. SonicWall has not publicly documented its scoring rationale. The most likely reading is that PSIRT treated the “valid credentials required” precondition as a partial privilege requirement that lowers the score, while CISA reflected the operational reality that credential stuffing against internet-facing SSL-VPN portals is so routine that having a password is not a meaningful barrier.

The gap is not academic. A 6.5 Medium gets queued behind the actual Criticals in the next maintenance window. A 9.1 Critical triggers an emergency change. Sixteen months of shops choosing the Medium reading is exactly what the ReliaQuest threat spotlight found in May 2026: by ReliaQuest’s account, every device in their February and March 2026 intrusion set was running patched firmware and was still bypassed.

The intrusion pattern

ReliaQuest assessed with medium confidence that the February and March 2026 cases are the first documented in-the-wild exploitation of CVE-2024-12802. The medium-confidence framing is appropriate; the bypass is silent, the logs show a normal MFA flow because the second-factor check is never invoked on the UPN path, and earlier incidents could easily have been written off as straight credential theft.

The attack sequence is tight. ReliaQuest documented scripted credential brute-force against the SSL-VPN portal, detectable in SonicWall authentication logs by sess="CLI" (a reliable indicator of automated, non-browser authentication). In several incidents, as few as thirteen attempts produced a valid credential. Once a working username was identified, the attacker authenticated via the UPN format, the MFA check was never invoked, and no failed-login alert fired. In one documented case the attacker reached RDP on a domain-joined file server in roughly thirty minutes via a shared local administrator password, then attempted to deploy Cobalt Strike and used a vulnerable signed driver to disable endpoint detection. ReliaQuest characterized the post-exploitation behavior as consistent with pre-ransomware staging and stopped short of naming a specific group, though they noted deliberate logouts and return visits days later under different accounts, a pattern consistent with initial access broker activity. Whether Akira affiliates were the eventual buyer is not confirmed in public reporting, though Akira has documented prior SonicWall SSL-VPN abuse through CVE-2024-40766.

CISA has not added CVE-2024-12802 to the Known Exploited Vulnerabilities Catalog as of the May 22, 2026 release. CISA added the earlier SonicWall SSL-VPN bug, CVE-2024-40766, in September 2024. It has not publicly explained the absence here. Federal civilian agencies therefore have no remediation deadline for a vulnerability with confirmed exploitation, which is its own kind of editorial choice.

The pattern this fits

This is not a one-off. CVE-2024-12802 is a textbook patch-incomplete failure: the firmware says fixed, the compliance scanner turns green, the configuration object that is doing the actual exploiting sits untouched. Standard patch-management tooling tracks firmware version. It does not track completion of a six-step LDAP reconfiguration procedure.

The same shape recurs. CVE-2024-40766 came with a SonicWall recommendation to rotate locally managed SSL-VPN credentials alongside the firmware update, and Arctic Wolf observed in July 2025 that Akira intrusions kept landing on patched devices where the credentials had never been rotated, in some cases carried over from Gen6 to Gen7 migrations. CitrixBleed (CVE-2023-4966) is the canonical earlier version: the Mandiant investigation tracked four distinct threat clusters exploiting valid session tokens on patched NetScaler appliances because the patch closed the extraction path and did nothing to tokens already in attacker hands. CISA eventually issued separate guidance requiring explicit session-kill CLI commands. The Ivanti EPMM chain from CVE-2026-1340 into CVE-2026-6973 is the same lesson again: CVE-2026-1340 in January allowed extraction of admin credentials, CVE-2026-6973 in May required valid admin credentials to reach RCE, and Ivanti stated with high confidence that the May campaign reused credentials harvested in the January intrusions.

Every advisory for an authentication-touching vulnerability is a two-part remediation. Part one is firmware. Part two is an explicit audit of whatever the vulnerable code touched while it was exposed: stored credentials, active sessions, authentication-path configuration, local accounts that used the affected surface. Patch tooling confirms part one. Part two requires its own checklist, scoped to the specific attack surface of the specific CVE. SonicWall’s automation script is part two made executable, which is good. It also arrived after exploitation began, which is the problem.

The Gen6 EOL bill comes due

SonicWall Gen6 hit End of Support on April 16, 2026. The emergency firmware posted on April 29, 2026, thirteen days past EOL, reads as a one-time exception under exploitation pressure rather than a resumption of the support lifecycle. The realistic options for Gen6 shops are: run the six steps (or the script), enforce strict source-IP allowlisting on the SSL-VPN interface, disable SSL-VPN entirely, or replace the hardware. Hardware replacement is the only durable answer. The next CVE on this surface will not come with a firmware update.

The thing to take from this is not that Gen6 is end-of-life, which everybody with a Gen6 in production already knew. It is that “patched” was never the right word for what the firmware did. On Gen6 it patched the code and not the bug. On Gen7 and Gen8 it patched both, which is the version every advisory implicitly described. If you administer one of these boxes, the advisory you read in January 2025 was accurate for hardware you probably do not own.

At PatchDay Alert we flag patch-incomplete advisories explicitly, with the post-patch steps in the same brief as the version number. The firmware build is half of the answer when the bug lives in the configuration.

Sources

• SNWLID-2025-0001 — SonicWall PSIRT — 2025-01
• GHSA-ff32-cmvq-x6c5 — GitHub Advisory Database — 2025-01
• SSL-VPN MFA Bypass CVE-2024-12802 — SonicWall Support Notice — 2026-05
• snwlid-2025-0001_workaround.py — sonicwall/sonicos-automation — 2025
• VPN Exploitation: When Patched Doesn’t Mean Protected — ReliaQuest — 2026-05
• Arctic Wolf Observes July 2025 Uptick in Akira Ransomware — Arctic Wolf — 2025-07
• CISA Known Exploited Vulnerabilities Catalog — 2026-05-22
• CISA confirms SonicWall vulnerability is getting exploited (CVE-2024-40766) — HelpNetSecurity — 2024-09
• Investigation of Session Hijacking via CVE-2023-4966 — Google Cloud / Mandiant — 2023-10
• #StopRansomware: LockBit 3.0 Exploits CVE-2023-4966 — CISA AA23-325A — 2023-11
• SonicWall Product Life Cycle Tables — 2026
• Security Advisory: Firmware Update Required Gen 6/7/8 — SonicWall — 2026-04-29