ctipilot.ch

Home · Live brief · Weekly 2026-W21

SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware

notable synthesis discovered 2026-05-18 05:00 UTC single-source

Entities: Akira

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

If you did nothing this week: patching alone did not close this. Actors whose TTPs match Akira ransomware successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026, by abusing a UPN/SAM account-name split in the authentication path — covered 2026-05-21.

This is an incomplete-patch case (CVE-2024-12802, CVSS 9.1): the original fix did not fully remediate the MFA-bypass path, so a "patched" appliance can still be brute-forced through the account-name-split primitive. Swiss/EU public-sector and finance estates that treated the earlier SonicWall advisory as closed should re-open it: audit SSL-VPN authentication logs for UPN-vs-SAM mismatches and repeated MFA challenges, and confirm the appliance is on the firmware build that fully closes CVE-2024-12802 rather than the earlier partial fix.

“If you did nothing this week: patching alone did not close this.” — ctipilot v2 brief (migrated)

ransomware vulnerabilities actively-exploited identity auth-bypass europe global CVE-2024-12802