Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2024-12802 -- CVSS 9.1 Vulnerability Briefing

CVE-2024-12802 | CVSS 9.1 (Critical) | Exploit: PoC available

What Is It

CVE-2024-12802 is a multi-factor authentication bypass vulnerability in SonicWALL SSL-VPN affecting deployments integrated with Microsoft Active Directory, where the separate handling of UPN and SAM account name formats allows MFA policies to be configured and enforced independently per login method.

Technical Detail

The flaw arises because SonicWALL SSL-VPN treats UPN-format logins ([email protected]) and SAM-format logins (DOMAIN\user) as distinct authentication paths, each capable of carrying its own MFA configuration. An attacker who possesses valid Active Directory credentials can authenticate using whichever login format has MFA either unconfigured or less strictly enforced, effectively circumventing the MFA requirement entirely. The result is unauthorized access to the SSL-VPN without completing the intended second authentication factor, granting network-level access equivalent to a fully authenticated session.

Exploitation Status

A proof-of-concept is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of the date of this briefing, and there is no confirmed evidence of active exploitation in the wild at this time. However, the low complexity of the bypass technique and the public availability of PoC code meaningfully reduce the barrier to exploitation.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. SonicWALL SSL-VPN appliances have historically been targeted by ransomware operators and state-sponsored actors seeking initial network access, but no group has been publicly linked to exploitation of this specific vulnerability.

What To Do

Administrators should apply the vendor-supplied patch from SonicWALL immediately given the critical CVSS score of 9.1 and the public availability of PoC code. As an interim measure, verify that MFA policies are consistently enforced across both UPN and SAM login formats within the SSL-VPN configuration, and audit Active Directory integration settings to confirm no authentication path exists without MFA enforcement. Review VPN authentication logs for login attempts using alternate account name formats, particularly from unfamiliar source IPs or at unusual hours, as this may indicate reconnaissance or exploitation attempts. Restrict SSL-VPN access to known IP ranges where operationally feasible until patching is complete.