SonicWall Fixes Actively Exploited SMA 100 Vulnerability Used in Overstep Attacks

  • Post author:
  • Reading time:4 mins read

A critical zero-day flaw in SonicWall SMA 100 VPN appliances is being leveraged in the wild to distribute Overstep, a stealth malware capable of maintaining persistent access, stealing credentials, and executing lateral attacks. The vulnerability allows remote code execution without authentication, affecting several widely deployed device models. Prompt patching and comprehensive threat investigations are crucial.

Background on SonicWall SMA 100

SonicWall’s Secure Mobile Access (SMA) 100 series devices act as VPN gateways, enabling remote employees to securely access corporate networks. Because they sit at critical points in network infrastructure and are exposed to the internet, they represent attractive targets for cyber attackers.

Vulnerability Details 

  • CVE-ID: CVE-2025-40599
  • CVSS Score: 9.1 (Critical) 
  • EPSS Score: 0.13%
  • Vulnerability: Arbitrary File Upload vulnerability 
  • Affected Firmware: Prior to version 10.2.1.15-81sv
  • Impacted Models: SMA 100, 210, 410 and 500v

Infection Method 

  1. Initial Access: Attackers target internet-facing SonicWall SMA 100 series VPN appliances running vulnerable firmware. Devices with default or weak admin credentials are especially at risk.
  2. Exploitation: Using valid administrative credentials, attackers exploit the authenticated arbitrary file upload vulnerability (CVE-2025-40599) in the SMA 100 series web management interface to upload malicious payloads.
  3. Remote Code Execution: Uploaded payloads are executed on the device, granting attackers privileged shell access and control.
  4. Rootkit Deployment: The Overstep malware is installed by modifying critical system files:
    > Injecting malicious code into the INITRD image to ensure execution at boot.
    > Adding itself to /etc/ld.so.preload for automatic library hijacking.
    > Modifying the rc.fwboot script to persist across reboots.

Malware Behavior and Capabilities 

  • Achieves persistence by placing itself in the /etc/ld.so.preload file.
  • Injects malicious code directly into the initial RAM disk (INITRD), so it is loaded automatically during system startup.
  • Timestomps modified files to hide evidence of tampering by preserving original timestamps.
  • Modifies the device’s boot script (rc.fwboot) to ensure the rootkit survives reboots.
  • Runs the rootkit at a privileged level, granting persistent and covert access to the device.
  • Hijacks standard library functions such as open, open64, readdir, readdir64, and write.
  • Uses hijacked write function to inspect web server log data for embedded commands.
  • Locks the /etc/ld.so.preload file with the FS_IMMUTABLE_FL flag, making it nearly impossible to modify or delete.

Tactics and Techniques include:

TA0003 – Persistence: Attackers maintain their foothold in the system.

TA0001 – Initial Access: Gaining entry into the network.

TA0002 – Execution: Running malicious code on the compromised system.

TA0006 – Credential Access: Stealing account names and passwords.

TA0008 – Lateral Movement: Attackers navigate to other systems within the network.

T1190 – Exploit Public-Facing Application: Exploiting vulnerabilities in externally facing applications to gain initial access.

T1505.003 – Server Software Component: Web Shell: Deploying web shells on compromised servers to enable remote access and command execution.

T1059.001 – Command and Scripting Interpreter: PowerShell: Using PowerShell to execute commands and scripts for malicious purposes.

T1003.001 – OS Credential Dumping: LSASS Memory: Dumping credentials from LSASS memory to gain unauthorized access.

T1021.002 – Remote Services: SMB/Windows Admin Shares: Utilizing SMB/Windows Admin Shares for lateral movement and remote execution.

Impact 

  • Remote code execution
  • Credential harvesting and privilege escalation 

Visual: Overstep Attack Flow 

[Attacker with Admin Privileges] -> [Exploit CVE-2025-40599] -> [Upload Malicious File] -> [Remote Code Execution] -> [Deploy Overstep Rootkit] -> [Persistence & INITRD Injection] -> [Credential Theft / Log Inspection / Timestomping / Covert Access]

Mitigation Steps

  1. Update to 10.2.2.1-90sv or later.
  2. Disable remote management access on the external-facing interface (X1) to reduce the attack surface
  3. Reset all passwords and reinitialize OTP (One-Time Password) binding for users and administrators on the appliance
  4. Enforce multi-factor authentication (MFA) for all users
  5. Enable the web application firewall on the device

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.