The SonicWall patch worked. The firmware updated. The security report showed green. And then hackers walked straight through your front door — in under 30 minutes.
There is a specific kind of nightmare that keeps IT managers awake at night.
Not the nightmare where you forgot to patch something.
The nightmare where you patched it — and it didn't matter.
That nightmare became real for multiple organizations between February and March 2026. Their SonicWall firewalls were updated. Their firmware versions were current. Their internal audits showed full compliance.
And attackers bypassed their MFA anyway.
Not because of a zero-day. Not because of an insider threat. Not because of a misconfigured firewall rule buried in a settings menu.
Because of six steps.
Six manual configuration steps that SonicWall's official patch required — but that almost no one knew existed.
The Moment the Lights Went Out
Picture this.
It's a Tuesday morning. Your VPN logs show a successful login. Nothing unusual — the account belongs to a legitimate employee. MFA is enabled. The firmware is current.
Thirty minutes later, an attacker has already:
- Reached your domain-joined file server
- Opened a Remote Desktop Protocol session using a shared local admin password
- Attempted to deploy a Cobalt Strike beacon
- Tried to disable your endpoint protection using a signed vulnerable driver
All of this — thirty minutes — from a single VPN login on a "patched" device.
This is not a hypothetical. This is exactly what ReliaQuest researchers documented across multiple real environments in early 2026, investigating what they now assess as the first known in-the-wild exploitation of CVE-2024–12802 — a critical authentication bypass flaw in SonicWall Gen6 SSL-VPN appliances.
The Flaw Nobody Finished Fixing
Here is where the story gets ugly.
SonicWall released a patch for CVE-2024–12802 back in March 2025. Organizations applied the firmware update. Their patch management systems marked the vulnerability as resolved. Compliance boxes were checked.
But there was a catch buried in the advisory that almost no one caught:
The firmware update alone does not fix the vulnerability on Gen6 devices.
To fully close the hole, administrators also needed to manually reconfigure their LDAP server — a six-step process that standard patch workflows do not include, do not verify, and do not flag as missing.
The result? Thousands of organizations running "patched" SonicWall devices that were, in reality, still completely exposed.
The vulnerability itself is brutal in its simplicity. CVE-2024–12802 allows an attacker who already has valid VPN credentials — obtained through brute force, phishing, or credential theft — to authenticate using a specific UPN login format that completely skips the MFA check.
Your password is correct. MFA fires. The attacker logs in through a different login format.
MFA sees nothing. Logs show a successful authentication. No alerts. No anomalies.
The attacker is inside.
Why This Stayed Hidden for So Long
This is the part of the story that should make every security professional uncomfortable.
SonicWall rated CVE-2024–12802 at CVSS 6.5 — Medium severity.
CISA independently assessed the same flaw at CVSS 9.1 — Critical.
That three-point gap in severity scores is not a minor disagreement. It is the difference between a patch that gets applied during the next scheduled maintenance window and a patch that gets applied this afternoon.
When a vulnerability is rated Medium, most organizations follow standard patch cadence — schedule it, apply the firmware update when convenient, mark it done, move on.
What they did not know:
- The firmware update was necessary but not sufficient
- Six additional manual steps were required
- Their patch management system had no way of verifying those steps were completed
- The device appeared fully remediated while remaining fully vulnerable
ReliaQuest called this "the same class of problem seen with CVE-2023–4966 (Citrix Bleed) and other edge device vulnerabilities where post-patch configuration changes are required, but standard workflows can't verify them."
Citrix Bleed caused catastrophic breaches at Boeing, Allen & Overy, and dozens of hospitals.
The SonicWall story is following the exact same pattern.
The Attack, Step by Step
Here is what the attackers actually did — documented across multiple intrusion investigations:
PHASE 1 — CREDENTIAL BRUTE FORCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Automated tooling cycles through VPN accounts
UPN login format bypasses MFA enforcement
No failed login alerts generated
Authentication succeeds silently
PHASE 2 — RECONNAISSANCE (Minutes 1–15)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Network mapping via VPN session
Internal systems identified
Credential reuse tested on discovered hosts
Shared local admin password located
PHASE 3 — LATERAL MOVEMENT (Minutes 15–30)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
RDP session opened to domain-joined file server
Cobalt Strike beacon deployment attempted
BYOVD attack launched to disable EDR
File review begun on compromised server
PHASE 4 — EXIT & RETURN
━━━━━━━━━━━━━━━━━━━━━━━
Deliberate, clean logout
Return days later using different accounts
Pattern consistent with initial access broker
Access sold to ransomware groupThe deliberate logout — and the return using different accounts days later — is what makes researchers believe this attacker was not conducting ransomware themselves. They were selling access.
Someone else would come back later to detonate the ransomware.
The End-of-Life Problem Nobody Is Talking About
Here is the part of the story that almost no one has covered.
SonicWall Gen6 devices reached end-of-life on April 16, 2026.
Not end-of-support-for-this-vulnerability.
End of life. Full stop.
No further security patches. No future CVE fixes. No firmware updates. Ever.
Organizations still running Gen6 hardware have already applied the last security update they will ever receive from SonicWall. Every vulnerability discovered from this point forward will remain permanently unpatched.
For CVE-2024–12802, the firmware update released in 2025 remains the necessary first step. But the end-of-life status means organizations relying on Gen6 devices are now running critical network infrastructure with a known critical vulnerability and no patch-based path forward.
The only real remediation is migration to Gen7 or Gen8.
What You Need to Do Right Now
If your organization runs SonicWall Gen6 SSL-VPN appliances, here is your immediate action list:
Step 1: Check Your Firmware Version Confirm your Gen6 device is running the latest firmware released before EOL. Firmware version alone is not enough — but it is the required first step.
Step 2: Complete the Six Manual LDAP Steps This is the step most organizations missed. SonicWall's advisory for CVE-2024–12802 includes a manual LDAP server reconfiguration process. If this was not completed separately from the firmware update, your MFA bypass exposure remains open.
⚠️ Warning: Your patch management system will show this device as remediated even if these steps were never completed. You must verify manually.
Step 3: Audit VPN Logs Immediately Review authentication logs for:
- Logins during off-hours
- Logins from unusual geographic locations
- UPN-format authentication entries
- Successful logins immediately followed by rapid internal lateral movement
Step 4: Disable Unused VPN Accounts Attackers brute-force against every active account. Reduce the attack surface by disabling any account that does not actively require VPN access.
Step 5: Enforce Account Lockout After 3 Failed Attempts This directly counters the automated brute-force tooling attackers used in documented intrusions.
Step 6: Plan Your Gen6 Migration Now If you are running Gen6 hardware, this is no longer optional. You are running end-of-life equipment with a known critical flaw and no future patch path. Migration to Gen7 or Gen8 is the only long-term answer.
The Uncomfortable Truth About Patching
This story is not really about SonicWall.
It is about a lie that the entire security industry has been telling itself for years:
"We applied the patch. We're protected."
CVE-2024–12802 is proof that applying a patch and being protected are two completely different things. The gap between them — six manual steps that no one verified — was wide enough for ransomware actors to walk through in under thirty minutes.
The organizations that got breached were not negligent. They were not running unpatched systems out of laziness or ignorance. They followed their standard patch workflows, checked their compliance boxes, and filed their security reports.
And they got hit anyway.
The real lesson from this is not "patch faster." It is this:
Read the full advisory. Every line. Every step. Then verify that every step was completed — separately from whether the firmware version number changed.
Because the attackers are reading your advisories too.
Is Your SonicWall Firewall End-of-Life?
If you are still running a SonicWall Gen6 device, the clock has already run out on official support. Upgrading to Gen7 or Gen8 is no longer a future project — it is a present-tense risk decision.
Jazz Cyber Shield supplies genuine SonicWall firewalls to businesses across the USA, UK, Canada, and Australia, including the full Gen7 and Gen8 lineup.
Browse SonicWall Firewalls → jazzcybershield.com
If this article changed how you think about patch verification, clap. If it made you immediately open your SonicWall console to check those six LDAP steps, clap twice. If you're forwarding this to your IT team right now — you already know what to do.