Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix
Attackers bypassed MFA on patched SonicWall Gen6 VPNs because admins missed extra manual steps required to fully fix the flaw. There is a particular kind of security failure that is harder to catch than an unpatched system: a patched system where the patch did not actually work because nobody followed all the steps. That is […]
There is a particular kind of security failure that is harder to catch than an unpatched system: a patched system where the patch did not actually work because nobody followed all the steps. That is what is happening right now with SonicWall Gen6 SSL-VPN appliances and CVE-2024-12802, and it has already led to ransomware-related intrusions across multiple organizations.
Between February and March 2026, ReliaQuest researchers observed what it assesses as the first in-the-wild exploitation of CVE-2024-12802 across multiple environments. The flaw is an authentication bypass in SonicWall VPNs that can reduce security to single-factor access. Although firmware updates exist for Gen6 devices, full remediation requires six additional manual steps, often missed in standard patching workflows, leaving systems exposed despite appearing fixed. Attackers then brute-forced VPN accounts, bypassed MFA, and rapidly moved inside networks, sometimes reaching file servers in under 30 minutes.
Related breach coverage
- Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning2026-05-25
A zero-click attack targeting iPhones on iOS 16 hijacked WhatsApp accounts without linked devices, warnings, or user interaction. There is a particular kind of security incident that is harder to explain than most: your WhatsApp account is sending messages you did not write, asking your contacts for money transfers, and when you check the “Linked […]
- Ghost CMS flaw abused to push ClickFix attacks on hundreds of sites2026-05-25
Attackers are exploiting the patched Ghost CMS flaw CVE-2026-26980, compromising over 700 unpatched sites, including universities. Threat actors are actively exploiting a security flaw, tracked as CVE-2026-26980, in Ghost CMS that was fixed months ago in real attacks against unpatched websites. According to Qianxin, the campaign has already affected more than 700 sites, including well-known organizations and […]
- Chaotic Eclipse discloses MiniPlasma zero-day, suggesting a missing or undone 2020 Windows security fix2026-05-18
MiniPlasma: a Windows SYSTEM privilege escalation believed patched in 2020 (CVE-2020-17103) is still fully working on every patched Windows 11. Once again, security researcher Chaotic Eclipse has released a proof-of-concept exploit for a new Windows privilege escalation zero-day called MiniPlasma, which can grant attackers SYSTEM privileges on fully patched systems. The flaw affects “cldflt.sys,” the […]
- Microsoft SharePoint Has a New RCE Flaw. If You Haven’t Patched Yet, Go Do That.2026-05-27
A critical vulnerability, tracked as CVE-2026-45659, in Microsoft SharePoint can allow attackers to achieve remote code execution with little effort. Microsoft released security updates to patch a high-severity SharePoint vulnerability, tracked as CVE-2026-45659 (CVSS score of 8.8), that could allow remote code execution. The flaw does not require complex conditions for exploitation, making it a […]