Attackers Exploit Incomplete Patching
Threat actors have been observed bypassing multi-factor authentication (MFA) on SonicWall Gen6 SSL VPN appliances, even after organizations installed the latest firmware updates. Cybersecurity firm ReliaQuest responded to multiple intrusions between February and March where hackers brute forced VPN credentials and then logged in without triggering MFA. In one incident, the attacker gained access to the internal network and reached a domain joined file server within 30 minutes, later trying to deploy Cobalt Strike and a vulnerable driver to disable endpoint protection.
The Patching Gap and Remediation Steps
The underlying vulnerability stems from missing MFA enforcement for the UPN login format on Gen6 devices. SonicWall warned that simply updating firmware does not fully remove the risk. Admins must manually delete existing LDAP configurations that use userPrincipalName, remove cached LDAP users, reconfigure the SSL VPN domain, reboot the firewall, and recreate the LDAP setup without userPrincipalName. On Gen7 and Gen8 devices, a firmware update alone suffices. ReliaQuest noted that the rogue logins still appeared as normal MFA flows in logs, making detection difficult. Key indicators include the sess=CLI signal, event IDs 238 and 1080, and VPN logins from suspicious infrastructure. Since Gen6 appliances reached end of life in April, migration to supported models is strongly advised.
Source: BleepingComputer
