VPN Exploitation When Patched Doesn't Mean Protected

Editor’s note: This report was authored by Alexander Capraro and Tristan Luikey

Key Points

• A firmware patch doesn’t always equal full remediation—CVE-2024-12802, an authentication bypass in SonicWall SSL VPN appliances, requires six additional manual reconfiguration steps on Gen6 devices after the firmware update. In the incidents ReliaQuest investigated, devices that appeared patched were actively exploited.

• ReliaQuest identified what we assess with medium confidence to be the first known exploitation of this vulnerability, spanning multiple environments between February and March 2026. Attackers brute-forced credentials with automated tools and bypassed MFA silently with no failed login alert nor anomalous flag.

• Verify all six Gen6 remediation steps, add the sess="CLI" session type to VPN log monitoring to detect automated brute-forcing at its earliest stage, and audit VPN account privileges.

Between February and March 2026, ReliaQuest identified activity that we assess with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments. CVE-2024-12802 is an authentication bypass vulnerability in SonicWall appliances that reduces VPN security to single-factor authentication. Disclosed in early 2025, it’s the latest in a series of VPN vulnerabilities exploited to gain initial access to corporate networks.

On Gen6 devices, the firmware patch alone doesn’t remediate the vulnerability. Six additional manual reconfiguration steps are required. SonicWall documented those steps in its advisory, but standard patch-management workflows aren't designed to verify them: The firmware updates, the version check passes, and the device appears remediated while remaining fully exploitable. For any organization that relies on firmware version alone to confirm remediation, this is a blind spot, and it’s not unique to SonicWall.

In the intrusions we observed, threat actors brute-forced VPN accounts and bypassed MFA to gain access to internal networks. The tools observed were consistent with actors operating in the ransomware ecosystem. In some cases, as few as 13 brute-force attempts separated an attacker from a valid credential. In one environment, they reached a file server within 30 minutes and deployed tools consistent with pre-ransomware staging. Intrusions left the same signal in the logs: A session type associated with automated VPN authentication that most organizations are unlikely to be monitoring today.

In this spotlight, we:

• Explain how CVE-2024-12802 enables MFA bypass through an unprotected login format and why Gen6 devices remain vulnerable after patching.

• Break down the attack pattern observed across multiple environments, including one intrusion in which the threat actor deployed pre-ransomware tools within 30 minutes of initial access.

• Detail a previously unmonitored detection signal in SonicWall authentication logs that reveals this campaign at its earliest stage, with actionable guidance to detect, contain, and remediate it before access expands.

The Gap Between Patched and Protected

A firmware patch doesn't always equal full remediation, and when that gap goes untracked, attackers exploit it. On Gen6 SonicWall devices, CVE-2024-12802 requires six manual reconfiguration steps beyond the firmware update. In the environments ReliaQuest investigated, devices that had been patched but hadn’t completed those steps were actively exploited, showing as "patched" in vulnerability management programs while remaining fully exploitable.

SonicWall assigned CVE-2024-12802 a CVSS score of 6.5 (Medium); CISA's Authorized Data Publisher assessment rates it 9.1 (Critical). The lower vendor score, combined with a patch that appeared to resolve the issue, may have led organizations to treat this as a routine update instead of an urgent remediation that required manual follow-up. Gen7 and newer devices are fully remediated by the firmware patch alone—this is a Gen6-specific problem.

Why Patching Alone Isn’t Enough

SonicWall SSL VPN appliances are widely deployed by small and medium-sized businesses for their affordability and ease of use, and have become a consistent target for ransomware-linked actors. Gen6 devices recently reached End-of-Life (EoL) on April 16, 2026 and will no longer receive vendor support or firmware updates, but they remain common in production environments and frequently fall outside standard asset inventories, particularly when inherited during mergers and acquisitions (M&A).

Standard patch-management workflows typically lack the ability to distinguish between "patched" and "fully remediated." When a device shows as patched and drops off remediation dashboards while still being vulnerable, that's a systemic gap in patch-management tooling and processes, and it extends well beyond SonicWall.CVE-2023-4966 ("Citrix Bleed"), for example, required administrators to manually terminate all active sessions and rotate credentials after patching because stolen session tokens remained valid across the firmware update.

On Gen6 hardware, the vulnerability exploits how MFA is enforced on the User Principal Name (UPN) authentication path, confirmed through our log analysis. Patching the firmware doesn’t remove the existing Lightweight Directory Access Protocol (LDAP) configuration that allows the bypass; the vulnerable configuration remains in place. Remediation requires deleting that configuration entirely and rebuilding it without the userPrincipalName format that the exploit relies on. SonicWall's advisory (SNWLID-2025-0001) specifies six additional manual steps (see Figure 1).

Figure 1: Patching steps for Gen6 SonicWall devices

The MFA Challenge That Doesn’t Stop the Login

SonicWall SSL VPN deployments using Active Directory (AD) authentication support two login formats:

• UPN: user[at]domain[.]com

• Security Account Manager (SAM): DOMAIN\username

CVE-2024-12802 is a vulnerability in how MFA is enforced across these formats: Protection applies to each account name format independently rather than to the user identity behind them. If MFA is configured for one authentication path but not the other, attackers can authenticate through the unprotected format and gain access as a legitimate user, even if MFA appears enabled. Discovering which format is unprotected requires only trial and error.

In the intrusions ReliaQuest investigated, SonicWall logs showed the appliance issued a one-time password request during the malicious authentication, confirming MFA was configured, but authentication succeeded without one. From the defender's perspective, this looked like a legitimate login. Authentication bypass vulnerabilities in edge devices are particularly high impact, because MFA fails, but it also fails silently. There’s no failed MFA alert, no anomalous login flag. Typically, the only evidence is a “session type” value in the authentication logs that indicates scripted or automated authentication rather than an interactive user login.

The Attack Pattern

In one intrusion ReliaQuest responded to, the threat actor moved from initial VPN authentication to internal network access in as little as 30 minutes, faster than most SOC teams can manually triage a single alert. The pattern across environments was consistent: brute-force credentials, assess the network, and either escalate or log out. The speed and consistency of this activity, combined with the tools deployed in one escalated case, points to a mature operational workflow with ties to the ransomware ecosystem.

Break In, Look Around, Log Out

In every intrusion involving this initial access method between February and March 2026, the threat actors followed the same pattern of brute-forcing VPN credentials, sweeping the internal network, testing credential reuse against internal systems, and logging out—all typically within 30 to 60 minutes (see Figure 2). There was no persistence beyond the compromised account, no payloads, and no visible incident.

The brute-forcing was fast and scripted. Authentication attempts arrived in rapid succession using the sess="CLI" session type, indicating automated tools rather than manual login. The lowest successful attempt required just 13 tries before the threat actor found a valid credential pair, and ReliaQuest typically observed multiple accounts compromised during these events. Multiple compromised accounts from a single brute-forcing event gives the attacker redundant access; resetting one account doesn’t close the door.

Figure 2: Average attack timeline completed within 30 to 60 minutes

When VPN credentials also worked against internal systems, the threat actor used them against accessible devices on the network. If the credentials didn’t work, the threat actor fell back to brute-forcing network devices using generic accounts such as "administrator." When neither approach yielded lateral movement, they typically logged out voluntarily.

The voluntary logouts, combined with re-entry attempts days later using different accounts in some environments, are consistent with initial access broker (IAB) activity. The observed attacks lead us to assess with high confidence that this threat actor was gaining initial access through this vulnerability across multiple sectors and geographies.

This creates a visibility gap, as brute-forced VPN accounts can sit dormant for weeks without generating further alerts. Organizations may have been accessed without a visible incident to investigate, and the next intrusion may come from a different actor entirely. With attackers averaging a 34-minute breakout time across ReliaQuest investigations in 2025, agentic AI in the detection and response lifecycle is often the deciding factor in stopping threat actors before they move laterally.

From VPN Access to Server Access in Under an Hour

In one intrusion, the threat actor moved beyond VPN access into active hands-on-keyboard activity on an internal file server. The entire sequence (see Figure 3) took roughly 40 minutes.

Figure 3: Step-by-step progression of the escalation case, from VPN authentication to session termination

Within 30 minutes of VPN authentication, the threat actor had reached a domain-joined file server and established a Remote Desktop Protocol (RDP) session using a shared local administrator password. The pivot was direct, with no lateral movement through intermediate hosts. A single reused credential was all that was needed, highlighting a common gap, i.e., VPN accounts that can also reach internal systems directly, without validating the authenticating device, create a path from perimeter access to lateral movement that may not require privilege escalation.

From there, the threat actor attempted to deploy a Cobalt Strike beacon, a post-exploitation framework used for C2, and a Bring Your Own Vulnerable Driver (BYOVD) attack to disable endpoint protection. BYOVD is a technique where attackers load a legitimate, but vulnerable, signed driver onto a system, then exploit it to gain kernel-level access and disable security tools. These tools are commonly referred to as "EDR killers" because their primary purpose is to blind endpoint detection so subsequent payloads can execute without interference.

EDR blocked both the beacon and the driver load. The threat actor shifted to manually reviewing files on the server with Notepad, a technique that often evades behavioral detection because Notepad accessing files on a file server may blend into normal activity. File servers frequently contain configuration files, scripts, and documentation with embedded credentials, and a single credential discovery would give the attacker a way back in or deeper access without requiring brute force on return. Without EDR intervention, we assess with medium confidence that the follow-on activity would have resulted in data exfiltration or ransomware deployment.

The tools and sequence observed here (C2 establishment followed by an attempt to blind endpoint protection) follow a well-documented pre-ransomware playbook used by multiple ransomware groups. Ransomware-linked groups such as "Akira" have previously used Cobalt Strike beacons, EDR-killing drivers, and SonicWall SSL VPN access in their intrusion chains. While attribution couldn’t be confirmed here, the tactics, techniques, and procedures (TTPs) are consistent with activity seen across previous incidents.

For defenders, this case highlights that the same vulnerability enabling reconnaissance also provides a direct path to post-exploitation when escalated. Behavioral endpoint detection was the pivotal control that kept this intrusion from progressing, but the shift to manual credential hunting shows the threat actor adapting to find another path forward after their usual tools were blocked.

Detection Signal in Authentication Logs

Every brute-force attempt ReliaQuest observed shared a common session type in SonicWall authentication logs: sess="CLI." The authentication attempts also originated from source IPs hosted on abused Autonomous System Number (ASN) ranges commonly associated with threat actor operations, usually VPN and virtual private server (VPS) infrastructure. Combined, the session type and source infrastructure give defenders two correlated indicators to detect this activity at its earliest stage.

What sess="CLI" in the Logs Reveals

The sess="CLI" session type indicates scripted or automated VPN authentication. Unlike interactive user sessions, it accepts fully parameterized credential input, enabling rapid cycling through credential lists without manual interaction. The specific tool generating this session type hasn't been confirmed, but the behavior is consistent with a command-line-based VPN authentication tool.

Following a successful authentication, we observed the session type change from “CLI” to “GMS,” indicating the threat actor had transitioned to actively connecting to internal resources. This transition is the detection signal. Organizations with visibility into SonicWall authentication logs should treat sess="CLI" entries, particularly when combined with Event ID 238 (failed VPN login attempts) or Event ID 1080 (successful SSL VPN zone login), as an indicator of automated authentication requiring further investigation.

To surface these events, SonicWall syslog forwarding to a SIEM must be enabled, and the Authentication log category must be included.

In SonicWall logs, this transition looks like this:

• sess="CLI": Automated credential testing likely in progress.

Figure 4: SonicWall log showing a failed login via automated methods

• sess="GMS": If seen directly after brute-forcing indicators, hands-on-keyboard activity may follow.

Figure 5: SonicWall log showing a successful login

Organizations should baseline legitimate CLI-based VPN authentication use before treating all sess="CLI" events as malicious. In environments where no CLI-based VPN clients are authorized or typical, any sess="CLI" event is a high-fidelity indicator. In environments that do use scripted VPN authentication, tuning the detection based on volume, source IP, and timing will be required to reduce false positives.

Step Up Your Defenses

ReliaQuest’s Approach

This activity compresses the entire attack sequence, from VPN authentication to post-exploitation tools, into under an hour. That timeline demands detection and containment that operate at the same speed. ReliaQuest GreyMatter provides several capabilities directly relevant to the TTPs observed in this activity:

GreyMatter Transit: GreyMatter Transit can fire detections before data reaches storage, enabling much faster detection and response. In some cases, this reduces the detection window to just seconds, which matters when the gap between VPN access and lateral movement is measured in minutes.

GreyMatter Agentic AI: This activity relies on speed and volume—cycling through credentials via automated brute-forcing, pivoting to internal systems within minutes, and logging out before most SOC teams can manually triage the initial alert. GreyMatter’s agentic AI focuses on the sequence of events rather than isolated alerts, connecting brute-forcing, internal reconnaissance, and credential reuse attempts to speed investigation and response.

ReliaQuest Detection Rules: ReliaQuest detection content is continuously updated using the latest relevant threat intelligence.

GreyMatter Automated Response Playbooks turn detection into immediate action. Once the campaign is identified, prebuilt playbooks can isolate the affected host, revoke the active session, or reset a password—all within minutes and across your existing security stack. In an attack lifecycle designed to move from initial access to lateral movement in under 40 minutes, automated containment removes the window attackers depend on.

Organizations can reduce their mean time to contain (MTTC) to five minutes or less by deploying detection rules with these GreyMatter Automated Response Playbooks:

• Terminate Active Session: Logs the compromised user out of all active sessions, invalidating session tokens and cutting off the attacker's access even if they hold valid credentials. In a campaign where threat actors voluntarily log out and return days later with different accounts, immediate session termination limits the window for internal reconnaissance.

• Reset Password: Forces a password reset for the compromised user account, ensuring captured credentials can’t be reused. This is critical in campaigns like this one where attackers hold large pools of compromised credentials and cycle back to environments where initial access succeeded.

• Isolate Host: Quarantines the affected host at the first confirmed sign of post-exploitation, including the Cobalt Strike beacon deployment or BYOVD driver load observed in the escalation case. This halts lateral movement before the attacker can progress from file server access to broader network impact.

For faster remediation, consider configuring these Playbooks to “RQ Approved” to automate threat containment across your existing tools.

Your Action Plan

Based on the activity observed, implement these steps to reduce exposure to this type of intrusion.

• Complete the Gen6 remediation steps: Applying the SonicWall firmware patch isn’t enough on Gen6 devices. Verify that all six LDAP reconfiguration steps from SNWLID-2025-0001 have been completed on every Gen6 device. A patched device that skipped these steps remains exploitable. Track firmware version and remediation status separately.

• Block known vulnerable drivers: The BYOVD attempt in the escalation case used a legitimate but vulnerable signed driver to disable endpoint protection. Deploy vendor-recommended vulnerable-driver block rules, such as those available via Windows Defender Application Control (WDAC), to prevent known vulnerable drivers from loading.

• Audit VPN account privileges and local administrator credentials: In this activity, threat actors moved from VPN access to file server compromise through credential reuse alone. VPN accounts should carry only the privileges necessary for the user's role. Assign VPN users to a dedicated organizational unit with restricted group policy permissions, and verify that VPN-assigned IP addresses from non-domain joined devices are blocked from direct access to sensitive server tiers by firewall policy. Implement Local Administrator Password Solution (LAPS) or equivalent to ensure local admin credentials are unique per device and rotated regularly.

Key Takeaways and What’s Next

The central finding of this investigation is simple: Patching doesn't always equal remediation, and that gap has implications well beyond SonicWall. On Gen6 devices, six manual reconfiguration steps are required after the firmware update, and in the environments ReliaQuest investigated, devices that skipped those steps were actively exploited while showing as patched. This is the same class of problem seen with CVE-2023-4966 (Citrix Bleed) and other edge device vulnerabilities where post-patch configuration changes are required but standard workflows can’t verify them. Organizations should audit any edge device advisory for manual remediation steps and track their completion separately from firmware version.

Looking ahead, ReliaQuest assesses with moderate confidence that exploitation of CVE-2024-12802 and other VPN authentication bypass vulnerabilities will persist through 2026 as IABs continue to target them heavily. Gen6 devices have reached EoL but remain widely deployed, particularly in small- and medium-sized businesses and environments inherited through M&A. Historical patterns show that patch compliance plateaus after a product EoL, which means the population of vulnerable devices is unlikely to shrink significantly. Organizations still running Gen6 devices should treat remediation verification as urgent.

IOCs