MFA Bypass in SonicWall SSL-VPN Active Directory Authentication

Successful exploitation reduces SSL-VPN access protection from multi-factor authentication to single-factor authentication. An attacker who has obtained valid VPN credentials can gain authenticated remote access to the internal network despite MFA being expected or apparently enabled. Observed post-authentication activity included internal reconnaissance, credential reuse attempts, RDP access to internal systems, and attempted deployment of post-exploitation tooling such as Cobalt Strike and a vulnerable driver intended to disable endpoint protection. This can enable broader compromise, lateral movement, staging for ransomware, and potential data theft or disruptive operations.

Until full remediation is verified, restrict or disable affected SSL-VPN exposure where operationally possible, especially on Gen6 devices. Verify that MFA enforcement is consistent across all Active Directory login formats and remove or disable alternate authentication formats that are not required, particularly UPN-based login if it is not needed. Monitor SonicWall authentication logs for indicators associated with exploitation, including sess="CLI" and relevant VPN authentication events such as Event ID 238 and Event ID 1080, and investigate logins from VPS/VPN infrastructure or anomalous geographies. Reduce blast radius by limiting VPN user privileges, enforcing strong password controls and lockout protections against brute-force attempts, rotating reused/shared administrative credentials, and blocking known vulnerable drivers to hinder BYOVD follow-on activity. Migration away from Gen6 should be prioritized due to end-of-life status.

For SonicWall Gen6 appliances, do not rely on firmware patching alone. Apply the vendor firmware update and complete the six additional manual LDAP reconfiguration steps documented in SonicWall advisory SNWLID-2025-0001 to remove the vulnerable configuration state. The available reporting indicates full remediation requires deleting and rebuilding the affected LDAP configuration so the exploitable userPrincipalName-based path is no longer left in a bypassable state. For Gen7 and Gen8 devices, upgrade to vendor-fixed releases referenced in reporting, including 7.2.0-7015 and 8.0.1-8017, which incorporate the remediation steps and related security enhancements. Because Gen6 hardware is end-of-life, migration to a supported platform is the preferred long-term remediation.