Threat researchers this week flagged ongoing in-the-wild exploitation of a SonicWall SSL VPN vulnerability (CVE-2024-12802) — and the unsettling part for small businesses is that simply installing the patch isn't enough. Devices that were updated months ago can still be wide open if an administrator didn't go back and manually reconfigure them. SonicWall firewalls are everywhere in York County small offices, which makes this a 'check your work' moment for anyone who assumed this one was already handled.
What researchers said this week
In a threat research recap published May 25, analysts noted that SonicWall SSL VPN exploitation of CVE-2024-12802 showed patched devices can remain exposed without manual reconfiguration. In plain English: the vendor pushed out a fix, but the fix doesn't fully close the door on its own. An administrator has to log in, check specific settings, and finish the job. If that step was skipped — and on a lot of SMB firewalls, it was — the device looks patched on paper but is still exploitable in practice.
The same weekly recap noted that attackers are continuing to lean hard on remote-access infrastructure. Researchers also flagged ongoing supply-chain and developer-ecosystem attacks, AI- and SEO-lure campaigns impersonating Gemini CLI and Claude Code, and newly disclosed Windows zero-days YellowKey and GreenPlasma — but for small businesses with a SonicWall sitting in the network closet, the VPN issue is the one that matters today.
Why this matters for a small business
SonicWall TZ-series and NSa-series firewalls are one of the most common perimeter devices in small offices, accounting firms, medical practices, and manufacturers across south-central Pennsylvania. The SSL VPN feature is what lets staff connect from home or the road. That same feature has been a favorite target of ransomware crews for the last two years because a single working SSL VPN exploit gets the attacker straight inside the network — past the firewall, past the antivirus, and onto a machine that usually has access to file shares and accounting systems.
The specific danger with CVE-2024-12802 is the false sense of security. A managed-IT provider that ran the firmware update and moved on is not actually done. Without the post-patch reconfiguration step, the firewall continues to advertise the vulnerable behavior to anyone on the internet who scans for it — and attackers absolutely are scanning.
What your managed-IT provider should be doing this week
Five things should be happening on every SonicWall in your environment right now:
1. Confirm the current firmware version against SonicWall's latest advisory — not just "is it newer than last quarter," but specifically the build that addresses CVE-2024-12802. 2. Open the SSL VPN configuration and apply the post-patch hardening steps SonicWall published with the fix. This is the step most often skipped. 3. Force a password reset on every SSL VPN user account, and require MFA. If an attacker already harvested credentials before the patch, the firmware update doesn't kick them out. 4. Pull the VPN connection logs for the last 60 days and look for logins from countries or IP ranges your business doesn't operate in. 5. Disable SSL VPN entirely on any firewall where remote access isn't actually being used — exposed services you don't need are exposed services that can be exploited.
This kind of "patch, then verify, then audit" loop is exactly what a real managed IT provider does for a living, and it's why we built York Computer's managed IT services around continuous monitoring rather than one-and-done patching.
The bigger pattern: 'patched' doesn't always mean 'safe'
This is the second high-profile incident in recent months where a vendor patch alone didn't fully close the hole — administrators had to take a second manual action. That pattern is going to keep showing up. Vendors push the fix fast to limit liability; the configuration cleanup gets left to the customer; small businesses without a dedicated IT team never get to step two.
The takeaway isn't to panic about SonicWall specifically. It's to make sure someone owns the question, "Did we actually finish the patch?" for every piece of network equipment in your office — firewall, switch, wireless controller, backup appliance, and remote-access gateway.
What York Businesses Should Do
If your York County business runs a SonicWall firewall with SSL VPN turned on — common at local law offices, dental practices, and small manufacturers — ask your IT provider this week for written confirmation that CVE-2024-12802 is patched AND the post-patch reconfiguration steps have been completed. If you don't have a provider doing that check, York Computer can audit your firewall in an afternoon.