Analysis Summary

SonicWall has released an urgent firmware update, version 10.2.2.2-92sv, for its SMA 100 series appliances (SMA 210, 410, and 500v) following the discovery of active exploitation by the OVERSTEP rootkit malware. The update, issued under advisory SNWLID-2025-0015 on September 22, 2025, introduces advanced file-checking capabilities to detect and remove malicious software from compromised devices. The move comes amid warnings from Google’s Threat Intelligence Group (GTIG), which previously reported a campaign by UNC6148 targeting end-of-life SMA 100 appliances with OVERSTEP, a sophisticated user-mode rootkit designed to ensure persistence and evade detection.

The OVERSTEP malware provides attackers with persistent access by hiding components, creating reverse shells, and exfiltrating sensitive data such as credentials, OTP seeds, and certificates. Such theft allows long-term control even after firmware upgrades, making it particularly dangerous for organizations relying on SMA 100 devices. Researchers highlight strong ties between UNC6148’s operations and Abyss ransomware, noting prior exploitation methods where adversaries deployed web shells on SMA appliances to maintain footholds despite updates. The malware was observed being deployed as SMA devices approached their end-of-support date of October 1, 2025, further increasing the urgency of remediation.

This latest update builds on SonicWall’s earlier 2025 security patches, which addressed a series of critical vulnerabilities. In May 2025, three flaws (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) were fixed, as they could be chained to achieve remote code execution. In July 2025, SonicWall patched another severe vulnerability (CVE-2025-40599) that enabled authenticated arbitrary file uploads. Despite these efforts, the persistence techniques used by OVERSTEP necessitated the release of a dedicated firmware update to cleanse infected systems, as no workaround exists for devices running 10.2.1.15-81sv or earlier versions.

SonicWall has strongly urged organizations to immediately apply the firmware update, stressing that the SMA 1000 series and firewall-based SSL-VPN functionality are not impacted. Administrators are advised to review system logs for indicators of compromise, reset all user credentials, and reinitialize OTP bindings as precautionary steps before and after upgrading. With the active exploitation of SMA 100 devices in the wild and the imminent end-of-support deadline, failure to update could result in severe data loss and persistence of threat actors within networks. This update represents the most critical line of defense against ongoing exploitation campaigns targeting SMA 100 appliances.

Impact

• Exfiltrating Sensitive Data
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-32819

• CVE-2025-32820

• CVE-2025-32821

IP

• 193.149.180.50
• 64.52.80.80
• 193.149.176.230

Affected Vendors

Remediation

• Immediately upgrade SMA 100 series appliances (SMA 210, 410, and 500v) to firmware version 10.2.2.2-92sv.
• Review appliance logs for indicators of compromise (IoCs) before and after the update.
• Reset all credentials (admin, user, and service accounts) to prevent unauthorized access.
• Reinitialize OTP bindings to mitigate the risk of stolen authentication seeds.
• Follow guidance from SonicWall’s July 2025 knowledge base article for additional security hardening.
• Remove or replace EoL devices ahead of the October 1, 2025 end-of-support deadline.
• Segment and monitor network traffic from SMA appliances for unusual activity.
• Apply patches promptly for previously disclosed vulnerabilities (e.g., CVE-2025-32819, CVE-2025-32820, CVE-2025-32821, CVE-2025-40599).
• Ensure no web shells or other persistence mechanisms remain on the devices after upgrading.
• Prioritize migration planning to supported platforms such as the SMA 1000 series or firewall-based SSL VPN.