PT-2025-1026 · Sonicos · Sonicos

Published

2025-01-07

·

Updated

2026-06-12

·

CVE-2024-12802

CVSS v3.1

9.4

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions SonicWall SSL-VPN Gen6 (affected versions not specified) SonicWall SSL-VPN Gen7 (affected versions not specified) SonicWall SSL-VPN Gen8 (affected versions not specified)
Description An authentication bypass exists in the SSL-VPN implementation of SonicOS, specifically affecting the integration with Microsoft Active Directory. The issue arises from the separate handling of User Principal Name (UPN) and Security Account Manager (SAM) account names, which allows multi-factor authentication (MFA) to be configured independently for each login method. Attackers can bypass MFA by utilizing the UPN authentication path with valid credentials, reducing the security to single-factor authentication. This flaw has been exploited in the wild by initial access brokers and ransomware groups, such as Akira, to gain entry into internal networks. In observed incidents, attackers used automated brute-force tools to compromise accounts and achieved lateral movement to domain-joined file servers within 30 to 40 minutes. Technical indicators of exploitation include the presence of sess='CLI' in VPN authentication logs, which suggests scripted or automated logins, as well as Event IDs 238 and 1080.
Recommendations For Gen6 devices, update the firmware to the latest version and perform the six required manual LDAP reconfiguration steps, including removing the existing LDAP configuration using userPrincipalName in the Qualified login name field, clearing stored LDAP users, removing the SSL VPN User Domain, rebooting the firewall, recreating the LDAP configuration without userPrincipalName, and creating a new backup. For Gen7 and Gen8 devices, update the firmware to the latest version. As a temporary mitigation, monitor VPN logs for sess='CLI' and suspicious connections from VPS/VPN infrastructure.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2025-00223
CVE-2024-12802

Affected Products

Sonicos