PT-2025-1026 · Sonicos · Sonicos
Published
2025-01-07
·
Updated
2026-06-12
·
CVE-2024-12802
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
SonicWall SSL-VPN Gen6 (affected versions not specified)
SonicWall SSL-VPN Gen7 (affected versions not specified)
SonicWall SSL-VPN Gen8 (affected versions not specified)
Description
An authentication bypass exists in the SSL-VPN implementation of SonicOS, specifically affecting the integration with Microsoft Active Directory. The issue arises from the separate handling of User Principal Name (UPN) and Security Account Manager (SAM) account names, which allows multi-factor authentication (MFA) to be configured independently for each login method. Attackers can bypass MFA by utilizing the UPN authentication path with valid credentials, reducing the security to single-factor authentication. This flaw has been exploited in the wild by initial access brokers and ransomware groups, such as Akira, to gain entry into internal networks. In observed incidents, attackers used automated brute-force tools to compromise accounts and achieved lateral movement to domain-joined file servers within 30 to 40 minutes. Technical indicators of exploitation include the presence of
sess='CLI' in VPN authentication logs, which suggests scripted or automated logins, as well as Event IDs 238 and 1080.Recommendations
For Gen6 devices, update the firmware to the latest version and perform the six required manual LDAP reconfiguration steps, including removing the existing LDAP configuration using
userPrincipalName in the Qualified login name field, clearing stored LDAP users, removing the SSL VPN User Domain, rebooting the firewall, recreating the LDAP configuration without userPrincipalName, and creating a new backup.
For Gen7 and Gen8 devices, update the firmware to the latest version.
As a temporary mitigation, monitor VPN logs for sess='CLI' and suspicious connections from VPS/VPN infrastructure.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sonicos