SonicWall’s firmware update for CVE-2024-12802 was never enough on its own: the patch required administrators to also manually reconfigure LDAP settings using a specific six-step process — one that most skipped — leaving Gen6 SSL-VPN appliances open to MFA bypass even on devices that appeared fully patched. Attackers exploited the gap to reach full network access in 30 to 60 minutes, with login attempts that appeared as a normal MFA flow in security logs.
CVE-2024-12802: The UPN Login Format Gap That MFA Never Covered
CVE-2024-12802 is an MFA enforcement vulnerability in SonicWall Gen6 SSL-VPN appliances. The underlying flaw is a missing MFA enforcement mechanism for the UPN (User Principal Name) login format: when authenticating through the UPN path, the MFA requirement was not enforced, meaning an attacker holding valid credentials could bypass multi-factor authentication entirely and authenticate directly to the VPN.
The firmware update alone did not close the vulnerability. Complete remediation required a specific sequence of manual LDAP reconfiguration steps: deleting the existing LDAP configuration, purging cached users, removing the SSL VPN user domain, rebooting the device, recreating the LDAP configuration without the userPrincipalName attribute, and creating a fresh backup. Devices on which administrators applied the firmware update and skipped this reconfiguration — the likely majority, given that the additional steps were not prominently surfaced in patch guidance — remained vulnerable to the UPN bypass.
The invisible-in-logs behavior compounds the failure significantly: rogue login attempts exploiting the UPN bypass appeared as a normal MFA flow in security event logs. Security teams relying on authentication logs to detect unauthorized access had no automated signal — the bypass produced no anomalous log entries distinguishable from a legitimate authentication event.
CVE-2024-12802 Exploitation Timeline: Full Network Access in 30 to 60 Minutes
From initial credential use to full network access, the attack was completed in 30 to 60 minutes in the documented incidents. During that window, attackers conducted network reconnaissance, tested credential reuse against internal systems, and attempted to deploy Cobalt Strike beacons and vulnerable kernel drivers using a BYOVD (Bring Your Own Vulnerable Driver) technique. The Cobalt Strike and BYOVD deployment attempts were blocked by endpoint detection — but the initial network access through the MFA bypass was fully achieved.
In the investigated cases, attackers logged out after the initial access window and returned days later using different accounts — a pattern consistent with initial access broker operations. Rather than conducting an attack directly, the operators documented network access for resale to ransomware groups, explaining both the controlled early-stage activity and the return from different accounts after an interval.
SonicWall Gen6 End-of-Life Status and the CVE-2024-12802 Remediation Ceiling
SonicWall Gen6 appliances reached end-of-life on April 16, 2026 — five weeks before this disclosure. Organizations still running Gen6 hardware have no path to future security patches; CVE-2024-12802 represents the last category of vulnerability for which a remediation path exists on these devices, and that path requires the manual LDAP reconfiguration rather than the firmware update alone.
Gen7 and Gen8 appliances are fully protected by the firmware update without any additional manual configuration steps. For Gen6 administrators, the six-step LDAP reconfiguration procedure is the only complete fix. Administrators should not treat firmware version as confirmation of remediation — only explicit completion of the reconfiguration sequence closes the UPN enforcement gap.
The Invisible MFA Bypass Log Behavior and the Authentication Audit Gap on Gen6
The most operationally significant aspect of CVE-2024-12802 exploitation is what it leaves out of the log record. Rogue authentications via the UPN bypass registered as normal MFA flow in security event logs, removing the primary automated detection signal that security operations teams use to identify account compromise. Organizations that applied only the firmware update — and monitored authentication logs for anomalies — had no automated detection path against active exploitation of the residual vulnerability.
Administrators on Gen6 hardware should assume the six-step LDAP reconfiguration has not been completed unless it can be confirmed explicitly from change records or direct appliance inspection. Authentication logs should be reviewed for lateral movement patterns consistent with the documented 30–60 minute initial access windows, and accounts used across multiple authentication events in close succession from different source addresses warrant immediate investigation. With Gen6 now beyond end-of-life, replacing hardware with Gen7 or Gen8 is the only path to ongoing security coverage beyond the current CVE-2024-12802 workaround.
