DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/CVE
DMZ INTEL DESK//FILED: 2026-05-22//00:48Z
HIGH#cve

CVE-2024-12802 SonicWall Gen6 SSL-VPN MFA Bypass Actively Exploited by Ransomware-Linked IAB — Firmware Patch Alone Insufficient Due to Six Missed LDAP Reconfiguration Steps

ReliaQuest confirmed the first known in-the-wild exploitation of CVE-2024-12802 across multiple environments between February and March 2026 — attackers brute-forced VPN credentials in as few as 13 attempts and silently bypassed MFA with no failed-login alerts, as the flaw exploits separate UPN vs. SAM Active Directory login handling. In at least one intrusion, threat actors reached a file server and deployed pre-ransomware staging tools (consistent with Akira) within 30 minutes of VPN access. The critical detection gap: the firmware patch exists but requires six manual LDAP reconfiguration steps that standard patch-management workflows do not verify — devices appear fully remediated but remain exploitable. Gen6 appliances reached end-of-life April 16, 2026 and will receive no further patches; defenders should add `sess='CLI'` to SonicWall log monitoring and audit Event IDs 238 and 1080 as immediate threat hunting priorities.

In at least one intrusion, threat actors reached a file server and deployed pre-ransomware staging tools (consistent with Akira) within 30 minutes of VPN access.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
cve-2024-12802 · sonicwall-gen6 · ssl-vpn · mfa-bypass · akira-ransomware · reliaquest · initial-access-broker · vpn-exploitation · incomplete-patch
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# CVE
2026-05-26
CVE-2026-9082: Unauthenticated SQLi in Drupal Core (PostgreSQL) Under Mass Exploitation; CISA KEV Added, 15K Attack Attempts Observed
# CVE
2026-05-23
CVE-2026-20223 (CVSS 10.0): Unauthenticated REST API Auth Bypass in Cisco Secure Workload Grants Cross-Tenant Site Admin Privileges