ctipilot.ch

SonicWall Gen6 SSL-VPN MFA bypass via UPN vs SAM account-name split; Akira-linked actors exploited Feb-Mar 2026; firmware update insufficient without 6-step LDAP reconfiguration

cve · CVE-2024-12802 single-source

Coverage timeline
2
first 2026-05-18 → last 2026-05-25
Entries
2
2 distinct days
Sources cited
2
2 hosts
Sections touched
2
active-threats, weekly-top-stories
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-05-21SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
    active-threatsSonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
  2. 2026-05-18SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
    weekly-top-storiesSonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware

Where this entity is cited

  • weekly-top-stories1
  • active-threats1

Source distribution

  • bleepingcomputer.com1 (50%)
  • cybersecuritydive.com1 (50%)

Related entities

Entries about SonicWall Gen6 SSL-VPN MFA bypass via UPN vs SAM account-name split; Akira-linked actors exploited Feb-Mar 2026; firmware update insufficient without 6-step LDAP reconfiguration (2)

2026-05-21 · view entry permalink →

SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions

notable threat discovered 2026-05-21 05:00 UTC

Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for CVE-2024-12802 (CVSS 9.1, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) does not by itself enforce MFA on both User Principal Name (user@domain) and SAM-account-name (DOMAIN\user) login formats — six additional manual LDAP-reconfiguration steps from SonicWall KB kA1VN0000000RBd0AM are required (Cybersecurity Dive, 2026-05-20; BleepingComputer, 2026-05-20). Attackers brute-forced credentials against the UPN login path — which accepts authentication without triggering MFA challenges when the LDAP reconfiguration is incomplete — at speed and without producing the standard authentication alerts; per BleepingComputer's reporting, intrusion responders observed sessions of 30 to 60 minutes during which attackers logged in, performed network reconnaissance, tested credential reuse on internal systems and logged out. Gen6 SSL-VPN reached end-of-life on 2026-04-16 and receives no further security updates; Gen7 and Gen8 are remediated by firmware update alone. Why it matters to us: the technique is a textbook example of why CVSS / vendor-advised patch status is insufficient operational signal — the appliance shows patched-firmware version, MFA appears enabled in the admin UI, and authentications succeed against an alternative account-name format that bypasses the policy enforcement entirely. Detection concept — SonicWall Gen6 SSL-VPN syslog filter for successful SSL-VPN authentications where the login field is UPN-format rather than SAM-format, especially from source IPs with high authentication-attempt volume; correlate with short-duration recon-and-credential-reuse sessions consistent with the 30-to-60-minute pattern BleepingComputer documents. Hardening — complete every step in SonicWall KB kA1VN0000000RBd0AM; given Gen6 EoL, migrate to Gen7/Gen8 on a defined cut-over timeline.

Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for …

ctipilot v2 brief (migrated)
ransomware vulnerabilities actively-exploited identity auth-bypass europe global CVE-2024-12802

2026-05-18 · view entry permalink →

SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware

notable synthesis discovered 2026-05-18 05:00 UTC single-source

If you did nothing this week: patching alone did not close this. Actors whose TTPs match Akira ransomware successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026, by abusing a UPN/SAM account-name split in the authentication path — covered 2026-05-21.

This is an incomplete-patch case (CVE-2024-12802, CVSS 9.1): the original fix did not fully remediate the MFA-bypass path, so a "patched" appliance can still be brute-forced through the account-name-split primitive. Swiss/EU public-sector and finance estates that treated the earlier SonicWall advisory as closed should re-open it: audit SSL-VPN authentication logs for UPN-vs-SAM mismatches and repeated MFA challenges, and confirm the appliance is on the firmware build that fully closes CVE-2024-12802 rather than the earlier partial fix.

If you did nothing this week: patching alone did not close this.

ctipilot v2 brief (migrated)
ransomware vulnerabilities actively-exploited identity auth-bypass europe global CVE-2024-12802