SonicWall has issued an urgent firmware update, version 10.2.2.2-92sv, for its Secure Mobile Access (SMA) 100 series appliances to detect and remove known rootkit malware.
The advisory, SNWLID-2025-0015, published on September 22, 2025, strongly recommends that all users of SMA 210, 410, and 500v devices apply the update immediately to protect against persistent threats.
This release introduces additional file-checking capabilities designed to purge malicious software from compromised systems.
The update directly addresses threats highlighted in a July 2025 report from Google’s Threat Intelligence Group (GTIG). Researchers detailed a campaign by a threat actor, tracked as UNC6148, deploying the OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices.
OVERSTEP is a sophisticated user-mode rootkit that enables attackers to maintain persistent access through hidden components, establish a reverse shell, and exfiltrate sensitive data.
Stolen files can include credentials, One-Time Password (OTP) seeds, and certificates, granting the attackers long-term persistence even after firmware updates.
Patch Following Active Exploitation
The release of this firmware is a critical step in combating active exploitation in the wild. The GTIG report noted that the OVERSTEP rootkit was deployed on SMA devices nearing their end-of-support date of October 1, 2025.
While Google’s researchers could not definitively determine the initial access vector, they observed significant overlaps between UNC6148’s activities and incidents involving Abyss ransomware. In previous attacks, threat actors installed web shells on SMA appliances to maintain their foothold despite system updates.
SonicWall’s advisory acknowledges the risks outlined by Google and urges administrators to implement the security measures detailed in a related July knowledge base article.
The company has been actively addressing a series of vulnerabilities in its SMA 100 appliances throughout the year. In May 2025, it patched three flaws (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) that could be chained for remote code execution. Another critical flaw, CVE-2025-40599, was patched in July to prevent authenticated arbitrary file uploads.
SonicWall emphasizes that this new firmware is the primary remediation for affected devices running versions 10.2.1.15-81sv and earlier. There is no workaround available.
The advisory clarifies that the vulnerability does not impact the SonicWall SSL VPN SMA 1000 series or SSL-VPN functionality running on its firewalls.
Given the active threats and the approaching end-of-support date for the SMA 100 series, organizations are advised to prioritize this update to prevent compromise and data exfiltration.
Before upgrading, administrators should review appliance logs for indicators of compromise, reset all credentials, and reinitialize OTP bindings as a precautionary measure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
