SonicWall has released a patch for a critical vulnerability, CVE-2025-40599, affecting its Secure Mobile Access (SMA) 100 series appliances and is urging customers to apply the update as soon as possible. While there is no current evidence of active exploitation of this specific vulnerability in the wild, the company advises organizations using SMA 210, 410, or 500v appliances to investigate potential compromise from a recently disclosed campaign involving the sophisticated OVERSTEP backdoor. This caution is paramount given that the threat actor behind OVERSTEP has already demonstrated the ability to compromise even fully patched SMA devices by leveraging stolen credentials.
Vulnerability Details
CVE-2025-40599 vulnerability is an authenticated arbitrary file upload flaw identified in the SMA 100 series’ web management interface. This critical flaw could enable a remote attacker with administrative privileges to upload arbitrary files to the system, potentially leading to remote code execution (RCE). With a CVSS score of 9.1, the potential impact of successful exploitation is significant.
The vulnerability affects SMA 210, 410, and 500v appliances running firmware versions 10.2.1.15-81sv and earlier.
OVERSTEP Malware and UNC6148
Google’s Threat Intelligence Group (GTIG) has issued a warning regarding a persistent threat actor, tracked as UNC6148, which is actively targeting SonicWall SMA appliances with a new rootkit malware named OVERSTEP. This group is believed to be financially motivated, involved in data theft and extortion attacks, and may also deploy Abyss ransomware.
GTIG assesses with moderate confidence that UNC6148 leveraged a zero-day RCE vulnerability for initial access to deploy the OVERSTEP malware on SonicWall SMA appliances. It is important to note that while some devices were “fully patched” against previously known vulnerabilities, UNC6148 often regained access by leveraging credentials and one-time password (OTP) seeds stolen during prior intrusions. The campaign has been ongoing since at least October 2024, with evidence of credential exfiltration as early as January 2025.
The OVERSTEP malware is a sophisticated backdoor and user-mode rootkit written in C, specifically designed to target SonicWall SMA 100 series appliances. It achieves persistence by embedding itself in the /etc/ld.so.preload file and modifying the Initial RAM Disk (INITRD). It utilizes a hijacked write function to inspect web server log data for embedded commands, allowing covert communication. Furthermore, it conceals its presence by blocking access to specific files and hiding associated processes, making detection and forensic analysis challenging.
Tactics, Techniques, and Procedures (TTPs)
The threat actor UNC6148 has been observed deploying the OVERSTEP rootkit malware on SonicWall SMA 100 Series devices. Their TTPs include:
- TA0001 – Initial Access: Gaining entry into the network, often via exploitation of public-facing applications or the reuse of previously stolen credentials.
- T1190 – Exploit Public-Facing Application: Exploiting vulnerabilities in externally facing applications to gain initial access.
- TA0002 – Execution: Running malicious code on the compromised system, including deploying the OVERSTEP rootkit and establishing reverse shells.
- TA0003 – Persistence: Attackers maintain their foothold in the system by modifying critical system files like
/etc/ld.so.preloadand manipulating the Initial RAM Disk (INITRD). - TA0006 – Credential Access: Stealing administrative credentials, session tokens, and OTP seeds from SMA appliance databases.
- T1505.003 – Server Software Component: Web Shell: Deploying web shells on compromised servers to enable remote access and command execution.
- TA0008 – Lateral Movement: Attackers navigate to other systems within the network after gaining initial access to the SMA appliance.
Mitigation Steps
SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the specified fixed release version v10.2.2.1-90sv or higher to remediate this vulnerability. Additionally, SonicWall advises the following steps to secure devices and address the broader threat from UNC6148:
- Immediate Patching: Upgrade to firmware version 10.2.2.1-90sv or higher.
- Restrict Remote Management Access: Limit remote management access on external interfaces (e.g., X1) to reduce the attack surface.
- Comprehensive Credential Reset: Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators. This is crucial as UNC6148 leverages stolen credentials for re-access.
- Enforce Multi-Factor Authentication (MFA): Implement and enforce MFA for all users, whether directly on the appliance or through directory services, as an invaluable safeguard against credential theft.
- Enable Web Application Firewall (WAF): Activate the Web Application Firewall (WAF) feature on SMA 100 devices to add a layer of defense.
- Forensic Investigation for IoCs: Before upgrading, thoroughly review appliance logs and connection history for anomalies and indicators of compromise (IoCs) shared by Google’s Threat Intelligence Group. Check for any unauthorized access or suspicious binaries. For SMA 500v virtual appliances, consider backing up the OVA, exporting configurations, removing the existing VM, reinstalling a clean OVA, and restoring the configuration.
Instantly Fix Risks with Saner Patch Management
Saner Patch Management is a continuous, automated, and integrated software solution designed to proactively address vulnerabilities and instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, macOS, and over 550 third-party applications.
It also facilitates setting up a secure testing environment to validate patches before their broad deployment in a primary production environment. Additionally, Saner Patch Management includes a patch rollback feature, offering a safety net in case of patch failure or system malfunction.
Experience the fastest and most accurate patching software here.
