SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series appliances, adding file-checking capabilities that help users remove known rootkit malware.
The malware in question is the OVERSTEP user-mode rootkit, deployed by threat group UNC6148.
The campaign
In July 2025, Mandiant incident responders and Google Threat Intelligence Group (GTIG) threat analysts warned about a SonicWall SMA exploitation campaign perpetrated by UNC6148.
Attackers leveraged previously stolen local administrator credentials to establish an SSL VPN session on the appliances. From there, they spawned a reverse shell, enabling them to conduct reconnaissance, alter device settings, deploy the secrets-stealing OVERSTEP backdoor/rootkit, and manipulate/hide files on the system.
“Once the deployment of OVERSTEP was complete, the threat actor cleared the system logs and rebooted the firewall to trigger [its execution]. The changes [made] meant that whenever the appliance was rebooted, the OVERSTEP binary would be loaded into the running filesystem on the appliance,” the analysts explained.
They also noted that UNC6148 activity overlaps with SonicWall exploitation reported in late 2023 and early 2024, incidents linked to the deployment of Abyss-branded ransomware.
Update or upgrade to newer devices
One of the campaign’s most concerning aspects is that the attackers were able to establish a reverse shell on targeted appliances — something that should not have been possible.
While neither Mandiant nor SonicWall’s PSIRT could determine exactly how this was achieved, they speculated it involved an unknown vulnerability.
The method used for spawning the reverse shell remains a mystery, but in a later advisory, SonicWall confirmed that the attackers exploited CVE-2024-38475 to hijack an existing local administrator SSL VPN session.
SonicWall advised targeted organizations to:
- Upgrade or replace/rebuild affected devices to ensure the rootkit has been removed
- Rotate all account credentials (admin, local, directory users), replace any certificates with private keys stored on the appliance, and make users re-bind their mobile authenticator apps on next login
- Apply a number of hardening measures
With the new firmware, organizations can now directly remove the rootkit. (Google has listed the malicious files.)
“SonicWall strongly recommends that users of SMA 100 series products (SMA 210, 410, and 500v) upgrade to version 10.2.2.2-92sv,” the company said, while also stressing the need to implement the security measures delineated above.
The latest firmware also addresses CVE-2024-38475 and CVE-2025-40599, an authenticated file upload vulnerability that has been discovered but does not appear to be actively exploited by these or other attackers.
SonicWall SMA 100 series appliances have reached end-of-sale status and the company has decided to accelerate the end-of-support date from October 1, 2027, to December 31, 2025. Organizations using them have been advised to switch to using SMA 1000 series appliances.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
