Hackers Bypass SonicWall VPN MFA Due to Incomplete Patching
Threat actors are brute-forcing credentials and bypassing multi-factor authentication on SonicWall Gen6 SSL-VPN appliances due to incomplete patching, deploying tools used in ransomware attacks.
Threat actors are actively exploiting SonicWall Gen6 SSL-VPN appliances by brute-forcing credentials and bypassing multi-factor authentication (MFA), leveraging incomplete patching to deploy tools commonly used in ransomware attacks. The campaign, which targets organizations across multiple sectors, underscores the persistent risk posed by unpatched or partially patched network edge devices. SonicWall has issued urgent advisories urging customers to apply the latest firmware updates to mitigate the threat.
The attack chain begins with credential brute-forcing against exposed SSL-VPN interfaces. Once valid credentials are obtained, the attackers exploit a weakness in the MFA implementation—likely a session token reuse or incomplete enforcement of MFA on certain authentication flows—to gain unauthorized access. This technique allows them to bypass the additional security layer that MFA is designed to provide, effectively neutralizing one of the most common defenses against credential theft.
After gaining access, the threat actors deploy tools associated with ransomware operations, including remote access trojans, credential stealers, and lateral movement utilities. While SonicWall has not attributed the campaign to a specific ransomware group, the toolset and tactics align with those used by several prominent ransomware-as-a-service operations. The appliances targeted are SonicWall Gen6 SSL-VPN devices, which are widely deployed in enterprise and government networks for remote access.
The incomplete patching issue stems from SonicWall's previous security advisories. The company has released firmware updates addressing the underlying vulnerabilities, but many organizations have not fully applied them, leaving their appliances exposed. SonicWall's latest advisory emphasizes that simply enabling MFA is insufficient if the underlying authentication bypass vulnerabilities are not patched. The company recommends that customers immediately update to the latest Gen6 firmware version and review their MFA configuration to ensure it is properly enforced.
This incident highlights a broader challenge in network security: the gap between patch availability and patch deployment. Even when vendors release fixes, organizations often delay implementation due to concerns about downtime, compatibility, or resource constraints. Attackers are increasingly exploiting this window of exposure, particularly for edge devices like VPNs that are directly accessible from the internet. The SonicWall case is a stark reminder that MFA alone is not a silver bullet—it must be paired with a rigorous patch management program.
CISA has not yet added this specific SonicWall vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, but the agency routinely monitors such campaigns. Security researchers recommend that organizations using SonicWall Gen6 appliances audit their logs for signs of unauthorized access, enforce strict MFA policies, and segment VPN access to limit lateral movement. As ransomware groups continue to refine their techniques, the combination of credential theft and MFA bypass represents an evolving threat that demands proactive defense.