SonicWall Gen6 SSL-VPN: Patch for CVE-2024-12802 Fails to Close MFA Bypass — Akira Ransomware in 86% of Compromises

ReliaQuest researchers published findings on 19 May confirming that SonicWall Generation 6 SSL-VPN appliances running the official patched firmware for CVE-2024-12802 remain exploitable unless administrators complete six specific manual reconfiguration steps that SonicWall documented in a separate configuration bulletin — not the primary patch advisory. Organisations that applied the firmware update alone without following the supplementary guidance are still vulnerable to the authentication bypass that enables full VPN access without valid credentials.

The timing is particularly acute: SonicWall Generation 6 devices reached end-of-life on 16 April 2026 and will receive no further firmware updates. For the subset of Gen6 customers who have not migrated to Gen7 hardware, the situation is now permanent — the configuration-step gap exists in the final firmware version.

CVE-2024-12802: The Vulnerability and the Gap

CVE-2024-12802 is an authentication bypass in the SonicWall SSL-VPN implementation that allows an unauthenticated attacker to bypass multi-factor authentication enforcement under specific session conditions. The CVSS score was assessed at 6.5 by SonicWall but rated 9.1 (Critical) by CISA, reflecting a significant divergence in severity assessment between the vendor and independent analysis.

The disconnect between the vendor’s CVSS and CISA’s assessment correlates with the mechanism: the bypass enables complete VPN gateway authentication circumvention in conditions that are common in enterprise deployments, making real-world exploitability significantly higher than the vendor’s controlled test environment suggested.

The patch applied via the standard firmware update process closes the primary vulnerability code path. However, SonicWall’s supplementary hardening guidance requires administrators to separately:

• Enforce specific MFA policy binding configurations
• Disable legacy authentication fallback modes
• Configure session token validation settings not affected by the firmware update
• Apply network-level policy adjustments to the SSL-VPN zone
• Disable specific legacy client compatibility options
• Validate that specific configuration parameters were not preserved from pre-patch backups

Organisations that applied only the firmware update without completing all six configuration steps retain the authentication bypass under the conditions Akira and similar groups are actively exploiting.

Akira Ransomware: 86% of SonicWall-Involved Intrusions

ReliaQuest’s incident response data covering SonicWall SSL-VPN-related intrusion claims from January to May 2026 found Akira ransomware present in 86% of cases where SonicWall was identified as the initial access vector. The remaining 14% included other ransomware families and data exfiltration without encryption.

Akira has been one of the most active ransomware groups targeting VPN infrastructure throughout 2025 and 2026. Their operational pattern consistently targets perimeter VPN appliances — particularly devices from vendors with known authentication bypass vulnerabilities — as the initial access vector, followed by credential harvesting, lateral movement across Active Directory, and bulk data exfiltration before encryption.

The combination of a patch-that-isn’t-fully-effective, an EoL device category with no further patching, and an active ransomware group with demonstrated operational capability on this target makes Gen6 SonicWall environments a high-priority remediation target.

Immediate Actions Required

For organisations running Gen6 SonicWall SSL-VPN:

1. Audit configuration against the supplementary bulletin: Obtain SonicWall’s MFA Enforcement and Session Hardening configuration guide (available through SonicWall support) and verify that all six configuration steps have been applied alongside the firmware update.

2. Restrict SSL-VPN access scope: If configuration hardening has not been applied, restrict VPN access to source IP addresses known to be associated with legitimate users (home IP addresses, corporate mobile IPs) while hardening is completed.

3. Accelerate Gen7 migration: Gen6 devices have no future security update path. The risk of continued operation on EoL infrastructure without patch recourse is no longer a theoretical concern — it is a live, actively exploited situation. Migration to Gen7 or an alternative SSL-VPN platform should be treated as an urgent security project.

4. Conduct an intrusion review: Any Gen6 SonicWall environment that has been internet-facing since the disclosure of CVE-2024-12802 should undergo active threat hunting for indicators of Akira pre-encryption activity: unusual domain controller access, Group Policy modification, shadow copy deletion, and large volume outbound data transfers.