Malware & Threats

SonicWall Updates SMA 100 Appliances to Remove Overstep Malware

The software update includes additional file checks and helps users remove the known rootkit deployed in a recent campaign.

SonicWall vulnerability

SonicWall has released a fresh software update for its SMA 100 appliances to help users remove the Overstep malware deployed in a recent campaign.

As part of the attacks, flagged in July by Google’s Threat Intelligence Group, a threat actor tracked as UNC6148 infected fully patched SMA appliances with a persistent backdoor and user-mode rootkit that supports credential, session token, and one-time password seed theft.

The threat actor likely used local administrator credentials that were stolen in previous attacks, before devices were patched, through the exploitation of known vulnerabilities, such as CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038, and CVE-2021-20039.

In July, Google released indicators-of-compromise (IoCs) and detection rules to help SonicWall customers identify and block potential UNC6148 attacks.

This week, SonicWall announced the release of SMA 100 software version 10.2.2.2-92sv, which includes “additional file checking, providing the capability to remove known rootkit malware present on the SMA devices”.

All SMA 210, 410, and 500v appliances running 10.2.1.15-81sv and earlier software versions are impacted, SonicWall notes.

Advertisement. Scroll to continue reading.

The company urges all organizations using SMA 100 series appliances to review and implement security steps outlined in its July advisory.

Earlier this month, SonicWall announced it will no longer offer support for SMA100 devices starting October 1, 2025, urging customers to transition to “more secure, modern remote access solutions” and offering free replacement options for eligible SMA100 appliances.

“Due to significant vulnerabilities presented by legacy VPN appliances, SonicWall will be deactivating all SMA100 appliances on October 31, 2025. Following this date, all SMA100 appliances will lose connectivity and no longer function. To ensure uninterrupted security and connectivity, partners and customers will need to migrate to an alternative SonicWall solution before October 31, 2025,” the company notes.

SonicWall may continue to provide support to SMA100 appliances that have support expiration dates extending beyond October 31, 2027.

Related: SonicWall Prompts Password Resets After Hackers Obtain Firewall Configurations

Related: Libraesva Email Security Gateway Vulnerability Exploited by Nation-State Hackers

Related: Remote CarPlay Hack Puts Drivers at Risk of Distraction and Surveillance

Related: Hundreds of Pagers Exploded in Lebanon and Syria in a Deadly Attack. Here’s What We Know.

Related Content

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Malware & Threats

CryptoBandits uses a local SOCKS5 proxy for traffic routing, blending data theft with remote code execution.

Malware & Threats

The attackers deployed a new Go-based backdoor that uses Microsoft Teams servers for command-and-control.

Cybercrime

Researchers say the OnyxC2 malware targets more than 200 applications and extensions while evading detection through encrypted payloads, DLL sideloading, and in-memory execution techniques.

ICS/OT

A PowerShell script included in patch files appears to be triggering false positives by multiple security engines.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version