SonicWall SMA 100 Series Now Fights Rootkits
▼ Summary
– SonicWall has released new firmware for its SMA 100 series appliances that adds the capability to remove the OVERSTEP rootkit malware.
– The malware was deployed by threat group UNC6148, which exploited stolen credentials and a vulnerability (CVE-2024-38475) to hijack SSL VPN sessions.
– Attackers used this access to deploy the OVERSTEP rootkit, which would load upon reboot, and then cleared system logs to hide their activity.
– SonicWall strongly recommends users upgrade to the new firmware, which also patches two vulnerabilities, and implement additional security measures like credential rotation.
– The company has accelerated the end-of-support date for SMA 100 series appliances to October 31, 2025, advising customers to switch to newer 1000 series models.
SonicWall has fortified its SMA 100 series appliances with a crucial firmware update, introducing a new capability to scan for and eliminate a specific, dangerous rootkit. This enhancement provides a direct response to a sophisticated malware campaign, offering affected organizations a vital tool for remediation. The update also patches critical vulnerabilities, reinforcing the security posture of these widely used remote access devices.
The threat stems from a user-mode rootkit known as OVERSTEP, which is deployed by a threat group identified as UNC6148. Security researchers from Mandiant and the Google Threat Intelligence Group first raised the alarm about this campaign in July 2025. The attackers used a multi-stage process, beginning with previously stolen local administrator credentials to gain access via an SSL VPN session. Once inside, they established a reverse shell on the appliance, a feat that should not have been possible under normal circumstances.
This unauthorized access provided a powerful foothold. The threat actors performed reconnaissance, altered device configurations, and installed the OVERSTEP backdoor. A particularly stealthy aspect of the attack involved manipulating the system to ensure the rootkit would automatically reload into the filesystem after every device reboot. To cover their tracks, the attackers wiped system logs following the deployment.
Investigators noted that UNC6148’s methods show similarities with earlier SonicWall exploitation incidents linked to Abyss ransomware. While the initial method for creating the reverse shell remains undetermined, SonicWall later confirmed the exploitation of a specific vulnerability, CVE-2024-38475, to hijack an active administrator session.
In response, SonicWall issued comprehensive guidance for organizations. The recommendations go beyond a simple software update. Affected organizations are strongly advised to upgrade, replace, or completely rebuild compromised appliances to guarantee the rootkit’s removal. Furthermore, a complete credential reset is essential, including administrator accounts, local users, and directory service logins. Any certificates with private keys stored on the appliance must be replaced, and users will need to re-bind their mobile authenticator applications upon their next login.
The newly released firmware, version 10.2.2.2-92sv for the SMA 210, 410, and 500v models, is the centerpiece of the solution. It not only introduces the file-checking feature to remove the known malicious files but also addresses CVE-2024-38475 and another flaw, CVE-2025-40599, an authenticated file upload vulnerability. It is important to note that the SMA 100 series has already reached its end-of-sale date. SonicWall has moved up its end-of-support timeline to October 31, 2025, urging customers to transition to the newer SMA 1000 series appliances for ongoing protection and support.
(Source: HelpNet Security)
