CVE-2024-12802

Name of the Vulnerable Software and Affected Versions SonicWall SSL-VPN Gen6 (affected versions not specified) SonicWall SSL-VPN Gen7 (affected versions not specified) SonicWall SSL-VPN Gen8 (affected versions not specified)

Description An authentication bypass exists in SonicWall SSL-VPN when integrated with Microsoft Active Directory. The issue stems from the separate handling of User Principal Name (UPN) and Security Account Manager (SAM) account names, which allows multi-factor authentication (MFA) to be configured independently for each login method. Attackers can exploit the UPN authentication path to bypass MFA, reducing security to single-factor authentication even when MFA appears enabled.

Real-world incidents have been observed where attackers used automated tools to brute-force VPN credentials, gaining access in as few as 13 attempts. In some cases, attackers achieved lateral movement to domain-joined file servers via RDP using shared local administrator passwords within 30 to 60 minutes of initial access. These intrusions have been linked to initial access brokers and the Akira ransomware group, involving the deployment of Cobalt Strike beacons and the use of the Bring Your Own Vulnerable Driver (BYOVD) technique to evade Endpoint Detection and Response (EDR) systems.

Technical indicators of exploitation include the presence of sess='CLI' in VPN authentication logs, which suggests scripted or automated authentication, as well as Event IDs 238 and 1080.

Recommendations For Gen6 devices, update the firmware to the latest version and perform the six required manual LDAP reconfiguration steps, including removing the existing LDAP configuration using userPrincipalName in the Qualified login name field, clearing stored LDAP users, removing the SSL VPN User Domain, rebooting the firewall, recreating the LDAP configuration without userPrincipalName, and creating a new backup. For Gen7 and Gen8 devices, update the firmware to the latest version. As a temporary mitigation, monitor VPN logs for sess='CLI' and anomalous login patterns from VPS/VPN infrastructure.