ReliaQuest and SonicWall say attackers exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA when admins installed patched firmware but did not complete required LDAP reconfiguration steps. Intrusions observed from February to March involved brute-forced credentials, internal reconnaissance, RDP access, and attempted deployment of Cobalt Strike and a BYOVD tool across multiple sectors and geographies.
Why it matters: Organizations using SonicWall Gen6 SSL-VPN may still be exposed even if they believe they are patched, because firmware updates alone do not fully mitigate the flaw. Defenders should verify the manual remediation, hunt for listed indicators, and treat exposed Gen6 devices as potentially compromised.
Bill Toulas
2026.05.20
100% relevant
This article establishes a distinct tracked story by tying CVE-2024-12802 to first reported in-the-wild exploitation, clarifying that incomplete patching left Gen6 SonicWall VPNs vulnerable and enabled follow-on intrusion activity.
← Back to all stories