EXECUTIVE SUMMARY
A cybersecurity threat has been identified that targets SonicWall SSL VPN appliances. This threat, which has been exploited in multiple environments between February and March 2026, is believed to be the first in-the-wild exploitation of CVE-2024-12802, an authentication bypass vulnerability in SonicWall appliances, as well as CVE-2023-4966, a separate vulnerability that has been exploited in conjunction with CVE-2024-12802. The attackers behind this threat have been using automated tools to brute-force VPN credentials and bypass MFA to gain access to internal networks. Once inside, they have been moving quickly to identify and exploit vulnerable systems, often deploying pre-ransomware staging tools within 30 minutes of initial access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A cybersecurity threat has been identified that targets SonicWall SSL VPN appliances. This threat, which has been exploited in multiple environments between February and March 2026, is believed to be the first in-the-wild exploitation of CVE-2024-12802, an authentication bypass vulnerability in SonicWall appliances, as well as CVE-2023-4966, a separate vulnerability that has been exploited in conjunction with CVE-2024-12802. The attackers behind this threat have been using automated tools to brute-force VPN credentials and bypass MFA to gain access to internal networks. Once inside, they have been moving quickly to identify and exploit vulnerable systems, often deploying pre-ransomware staging tools within 30 minutes of initial access.[emaillocker id="1283"]
The threat actors behind this campaign are using a well-documented playbook that involves brute-forcing VPN credentials, sweeping the internal network, testing credential reuse against internal systems, and logging out. This playbook is consistent with activity seen across previous incidents and is believed to be tied to the ransomware ecosystem. The attackers are also using a technique called Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint protection and gain kernel-level access to the system. This threat is significant because it highlights a gap in patch-management workflows that can leave devices vulnerable even after a firmware update.
On Gen6 SonicWall devices, the firmware patch alone is not enough to remediate the vulnerability, and six additional manual reconfiguration steps are required. These steps are not typically verified by standard patch-management workflows, leaving devices that appear patched but are still vulnerable. Organizations should audit any edge device advisory for manual remediation steps and track their completion separately from firmware version. To defend against this threat, organizations should complete the Gen6 remediation steps, block known vulnerable drivers, audit VPN account privileges and local administrator credentials, and implement Local Administrator Password Solution (LAPS) or equivalent. They should also consider deploying detection rules with automated response playbooks to quickly contain and remediate the threat. By taking these steps, organizations can reduce their exposure to this type of intrusion and prevent attackers from gaining initial access to their networks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Credential Access | T1110.001 | Brute Force | Password Guessing |
| Discovery | T1083 | File and Directory Discovery | — |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol |
| Initial Access | T1078 | Valid Accounts | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The reports contain further technical details:
https://reliaquest.com/blog/threat-spotlight-vpn-exploitation-when-patched-doesnt-mean-protected/
https://www.cybersecuritydive.com/news/patch-bypass-hackers-exploit-flaw-sonicwall/820600/