SonicWall Patch Critical Vulnerability in SMA 100 Devices Exploited by Overstep Malware

TL;DR

A critical vulnerability in SonicWall SMA 100 devices, tracked as CVE-2025-40599, has been patched. This flaw was exploited by the Overstep malware, linked to threat actor UNC6148. Users are urged to update their devices and check for Indicators of Compromise (IoCs).

SonicWall Patches Critical Vulnerability in SMA 100 Devices

SonicWall has addressed a critical vulnerability, identified as CVE-2025-40599 with a CVSS score of 9.1, in its SMA 100 appliances. This issue is an authenticated arbitrary file upload vulnerability in the web management interface of affected devices. The flaw allows remote attackers with administrative privileges to upload arbitrary files, potentially leading to remote code execution.

Vulnerability Overview

The vulnerability affects SMA 100 series products, including SMA 210, 410, and 500v. SonicWall strongly recommends upgrading to the specified fixed release version (10.2.2.1-90sv or higher) to mitigate this risk. The flaw impacts versions 10.2.1.15-81sv and earlier.

An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution.

Overstep Malware and UNC6148 Threat Actor

Recent warnings from Google’s Threat Intelligence Group (GTIG) highlight that a threat actor, tracked as UNC6148, has been deploying the Overstep malware on SonicWall SMA appliances. This group, active since at least October 2024, utilizes a backdoor and user-mode rootkit to enable data theft, extortion, or ransomware attacks. The malware’s sophisticated design suggests financial motives, though this has not been definitively confirmed.

UNC6148 is believed to use stolen credentials and one-time password (OTP) seeds from previous intrusions to regain access to devices. The initial infection vector is likely through known vulnerabilities, making it crucial for organizations to apply security updates and monitor for IoCs.

Persistent Threat and Data Leaks

In June 2025, a victim appeared on the “World Leaks” data leak site, with UNC6148’s activities overlapping with earlier SonicWall exploits tied to Abyss/VSOCIETY ransomware. The threat group established a VPN session using stolen admin credentials and deployed the OVERSTEP rootkit, achieving persistence by modifying system boot scripts and clearing logs.

Technical Details of Overstep Malware

Overstep is a sophisticated backdoor and user-mode rootkit targeting SonicWall SMA 100 series appliances. Written in C, it achieves persistence by placing itself in the /etc/ld.so.preload file, ensuring the malicious library is injected into every newly launched process. The rootkit’s capabilities include:

• Hijacking standard library functions such as open, open64, readdir, readdir64, and write.
• Concealing its presence by blocking access to specific files and hiding associated processes.
• Inspecting web server log data for embedded commands, delivered through seemingly normal web requests.
• Executing commands like dobackshell to launch a reverse shell and dopasswords to create a tar archive of sensitive system files.

The malware’s persistence is reinforced by locking the /etc/ld.so.preload file with the FS_IMMUTABLE_FL flag, making it nearly impossible to modify or delete.

Mitigation and Recommendations

SonicWall’s updated advisory for CVE-2024-38475 recommends OTP seed rotation and vigilant monitoring for IoCs. Organizations are urged to apply the necessary updates and remain alert to potential threats.

Conclusion

The critical vulnerability in SonicWall SMA 100 devices underscores the importance of timely updates and vigilant monitoring. As threat actors continue to evolve their tactics, staying informed and proactive is crucial for maintaining cybersecurity.

References

For more details, visit the full article: source