SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.
Patches for the vulnerability were included in SMA 100 series software version 10.2.2.1-90sv, available for SMA 210, 410, and 500v products. SonicWall SSL VPN SMA1000 series products and SSL-VPN running on SonicWall firewalls are not affected.
According to the company, there is no evidence that CVE-2025-40599 has been exploited in the wild. However, in light of Google’s recent report on UNC6148 attacks deploying Overstep malware on SMA 100 appliances, it recommends that all organizations take immediate action to secure their devices.
Google discovered that the hackers have used compromised admin credentials to access fully patched appliances and infect them. The credentials were likely obtained prior to the devices being patched, through the exploitation of known vulnerabilities such as CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038, and CVE-2021-20039.
Because the compromised credentials could be used to exploit the fresh bug for RCE, organizations using SMA 100 series appliances should hunt for IoCs associated with UNC6148 attacks.
Organizations using the SMA 500v virtual product should backup the OVA file, export configurations, remove the VM and all associated files, download a new OVA from SonicWall, deploy it in a hypervisor, and restore the configuration.
On Wednesday, SonicWall also announced patches for three high-severity SMA 100 flaws, including two buffer overflow issues (CVE-2025-40596 and CVE-2025-40597) leading to a denial-of-service (DoS) condition, and an XSS defect (CVE-2025-40598) leading to the execution of arbitrary JavaScript code.
All three issues can be targeted remotely, without authentication, but SonicWall says it has no evidence of any of them being exploited in the wild.
Related: SonicWall SMA Appliances Targeted With New ‘Overstep’ Malware
Related: Possible Zero-Day Patched in SonicWall SMA Appliances
Related: PoC Published for Exploited SonicWall Vulnerabilities
Related: SonicWall Flags Two More Vulnerabilities as Exploited
