{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gen7-devices/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Initial Access Broker"],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2024-12802"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gen6 SSL-VPN appliances","Gen7 devices","Gen8 devices"],"_cs_severities":["high"],"_cs_tags":["vpn","mfa-bypass","cve-2024-12802","sonicwall","initial access"],"_cs_type":"threat","_cs_vendors":["SonicWall"],"content_html":"\u003cp\u003eIn February and March 2026, ReliaQuest researchers responded to multiple intrusions exploiting CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances. The vulnerability allows attackers to bypass MFA by exploiting a missing enforcement for the UPN login format. Organizations that applied the firmware update without completing the manual LDAP reconfiguration remained vulnerable. The attacker\u0026rsquo;s dwell time within the network ranged from 30 to 60 minutes, during which they conducted network reconnaissance and tested credential reuse before logging out, suggesting initial access brokering activity. This activity was seen \u0026ldquo;across multiple sectors and geographies\u0026rdquo;. Gen7 and Gen8 devices are not vulnerable if updated to a newer firmware version. Gen6 devices reached end-of-life on April 16, 2026, and no longer receive security updates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker brute-forces VPN credentials for SonicWall Gen6 SSL-VPN appliances.\u003c/li\u003e\n\u003cli\u003eAttacker exploits CVE-2024-12802 due to incomplete patching (firmware update applied but LDAP configuration not updated).\u003c/li\u003e\n\u003cli\u003eAttacker successfully authenticates to the VPN, bypassing MFA.\u003c/li\u003e\n\u003cli\u003eAttacker conducts network reconnaissance to map out the internal network.\u003c/li\u003e\n\u003cli\u003eAttacker tests credential reuse on internal systems.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a remote connection over RDP using a shared local administrator password to a domain-joined file server.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to deploy a Cobalt Strike beacon for command-and-control (C2).\u003c/li\u003e\n\u003cli\u003eAttacker attempts to load a vulnerable driver, likely to disable endpoint protection using BYOVD techniques; EDR blocks the beacon and driver.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of CVE-2024-12802 allowed threat actors to gain unauthorized access to internal networks through SonicWall SSL-VPN appliances. In one instance, the attacker reached a domain-joined file server within 30 minutes of initial access. The compromised access can be sold to ransomware groups for further exploitation, leading to data theft, encryption, and financial losses. This vulnerability impacted organizations across multiple sectors and geographies, with rogue login attempts appearing as normal MFA flows in logs, masking the bypass.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the manual remediation steps for CVE-2024-12802 on SonicWall Gen6 devices: delete the existing LDAP configuration, remove locally cached LDAP users, remove the SSL VPN User Domain, reboot the firewall, recreate the LDAP configuration, and create a fresh backup (reference CVE-2024-12802).\u003c/li\u003e\n\u003cli\u003eUpgrade to actively supported SonicWall appliances (Gen7 or Gen8) to fully mitigate the risk from CVE-2024-12802 if possible, since Gen6 devices are EOL.\u003c/li\u003e\n\u003cli\u003eMonitor VPN logs for \u003ccode\u003esess=\u0026quot;CLI\u0026quot;\u003c/code\u003e activity, which indicates scripted or automated VPN authentication, a key indicator of CVE-2024-12802 exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor VPN logs for event IDs 238 and 1080, which are strong signals of potential exploitation activity.\u003c/li\u003e\n\u003cli\u003eImplement detection rules to identify VPN logins from suspicious VPS/VPN infrastructure (see rules below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T21:19:58Z","date_published":"2026-05-20T21:19:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sonicwall-mfa-bypass/","summary":"Threat actors exploited CVE-2024-12802, a vulnerability in SonicWall Gen6 SSL-VPN appliances, to bypass multi-factor authentication (MFA) after brute-forcing VPN credentials, leading to the deployment of ransomware-related tools.","title":"SonicWall Gen6 SSL-VPN MFA Bypass via CVE-2024-12802","url":"https://feed.craftedsignal.io/briefs/2026-05-sonicwall-mfa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Gen7 Devices","version":"https://jsonfeed.org/version/1.1"}