In March of 2025, cyber security hardware firm SonicWall released a patch for an SSL-VPN MFA Bypass in its hardware.
CVE-2024-12802 could, in theory, at the time, allow an attacker to get around multifactor authentication on the company’s SonicWall SSL-VPN devices, ultimately leading to unauthorised access.
The issue was patched at the time, and no doubt everyone who thought they followed that patching advice has been sleeping securely.
Until now, when security researchers from ReliaQuest said they have observed in-the-wild exploitation of this very vulnerability – even on patched devices.
“ReliaQuest identified what we assess with medium confidence to be the first known exploitation of this vulnerability, spanning multiple environments between February and March 2026,” ReliaQuest researchers Alexander Capraro and Tristan Luikey said in a 19 May blog post.
“Attackers brute-forced credentials with automated tools and bypassed MFA silently with no failed login alert nor anomalous flag.”
In at least one case, only 13 brute-force attempts were needed to gain access, and in another, an attacker accessed a file server and deployed ransomware staging tools within 30 minutes.
The problem, according to ReliaQuest, is that while SonicWall did provide all the steps necessary to secure its devices beyond the firmware patch, not all of its customers appear to have followed them.
“A firmware patch doesn’t always equal full remediation – CVE-2024-12802, an authentication bypass in SonicWall SSL VPN appliances, requires six additional manual reconfiguration steps on Gen6 devices after the firmware update,” ReliaQuest said.
“In the incidents ReliaQuest investigated, devices that appeared patched were actively exploited.”
In each instance of exploitation tracked by the researchers, the attackers followed a similar playbook: brute-force the credentials, sweep the network, test for credential reuse, and log out. All in between 30 minutes and one hour.
When initially successful credentials failed to work, the actors fell back on further brute-forcing. And if that did not yield success, the attackers simply logged out.
The activity is consistent with initial access broker activity, leading ReliaQuest to believe these were simple scouting forays, designed to gain and maintain access without triggering alerts.
It’s a pattern seen many times before, and not just in SonicWall devices.
“This is the same class of problem seen with CVE-2023-4966 (Citrix Bleed) and other edge device vulnerabilities where post-patch configuration changes are required, but standard workflows can’t verify them,” ReliaQuest said.
“Organisations should audit any edge device advisory for manual remediation steps and track their completion separately from firmware version.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.