Patch Now: SonicWall Warns of Critical RCE Flaw in SMA 100 Devices
▼ Summary
– SonicWall warns customers to patch SMA 100 series appliances against a critical vulnerability (CVE-2025-40599) allowing remote code execution via arbitrary file uploads.
– The flaw requires admin privileges and affects SMA 210, 410, and 500v models but not SMA1000 series or SSL-VPN on firewalls.
– A threat actor (UNC6148) is targeting SMA 100 devices with OVERSTEP rootkit malware and may deploy Abyss ransomware using stolen credentials.
– SonicWall advises users to check for compromises, limit remote access, reset passwords, enforce MFA, and enable WAF for protection.
– Earlier in 2025, SonicWall flagged other exploited SMA vulnerabilities (CVE-2025-32819, CVE-2021-20035) linked to remote code execution attacks.
SonicWall has issued an urgent warning for organizations using its SMA 100 series appliances, advising immediate patching to address a severe remote code execution vulnerability. The flaw, identified as CVE-2025-40599, stems from an insecure file upload mechanism in the web management interface, potentially allowing attackers with administrative access to upload malicious files and execute arbitrary code.
Affected models include the SMA 210, 410, and 500v, though the vulnerability does not impact the SMA 1000 series or SSL-VPN services running on SonicWall firewalls. While exploitation requires admin credentials, the company emphasizes the need for swift action, as threat actors have already been targeting these devices using stolen credentials.
Recent findings from Google’s Threat Intelligence Group (GTIG) reveal that a hacker group, UNC6148, has been deploying a sophisticated rootkit named OVERSTEP on compromised SMA 100 appliances. This malware enables data theft and may lead to ransomware deployment, including variants like Abyss (VSOCIETY). Investigations suggest the attackers initially gained access by exploiting older vulnerabilities, including CVE-2021-20038 and CVE-2024-38475, to steal credentials earlier this year.
SonicWall recommends administrators inspect their systems for signs of compromise by reviewing logs, connection histories, and unauthorized access attempts. If any suspicious activity is detected, immediate contact with SonicWall Support is advised. To bolster security, organizations should restrict remote management access, reset all passwords, and enforce multi-factor authentication (MFA). Additionally, enabling the Web Application Firewall (WAF) can help mitigate further risks.
This latest advisory follows earlier warnings about vulnerabilities in SonicWall’s Secure Mobile Access (SMA) appliances. In May, the company addressed three flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) that could be chained for remote code execution. One of these had already been exploited in active attacks. Similarly, in April, another critical flaw (CVE-2021-20035) was confirmed as being weaponized in real-world intrusions since early 2025.
Given the persistent targeting of these devices, organizations must prioritize applying the latest patches and implementing robust security measures to prevent exploitation. Delaying updates could leave networks exposed to significant breaches, data theft, and ransomware attacks.
(Source: BLEEPING COMPUTER)
