Home · Live brief · Weekly 2026-W21
SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
Entities: Akira
Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)
If you did nothing this week: patching alone did not close this. Actors whose TTPs match Akira ransomware successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026, by abusing a UPN/SAM account-name split in the authentication path — covered 2026-05-21.
This is an incomplete-patch case (CVE-2024-12802, CVSS 9.1): the original fix did not fully remediate the MFA-bypass path, so a "patched" appliance can still be brute-forced through the account-name-split primitive. Swiss/EU public-sector and finance estates that treated the earlier SonicWall advisory as closed should re-open it: audit SSL-VPN authentication logs for UPN-vs-SAM mismatches and repeated MFA challenges, and confirm the appliance is on the firmware build that fully closes CVE-2024-12802 rather than the earlier partial fix.
“If you did nothing this week: patching alone did not close this.” — ctipilot v2 brief (migrated)