Close Menu
Cybercrime and Ransomware

SonicWall Launches Firmware Update to Block Rootkit Malware “OVERSTEP” on SMA Devices

Staff WriterBy No Comments4 Mins Read1 Views

Essential Insights

  1. SonicWall urgently released firmware 10.2.2.2-92sv to address a known rootkit malware (OVERSTEP) on SMA 100 series devices, especially targeting end-of-life models approaching support end on October 1, 2025.
  2. The update incorporates enhanced file-checking to detect and remove malicious software, blocking persistent threats and exfiltration of sensitive data like credentials and OTP seeds.
  3. The threat, linked to a campaign by UNC6148, exploited vulnerabilities and web shells on compromised devices, emphasizing the critical need for immediate patching to prevent active exploitation.
  4. SonicWall urges all affected users to apply the firmware immediately, review logs, reset credentials, and reinitialize OTPs—no workaround exists, and the vulnerability does not affect other series like the SMA 1000 or firewall SSL-VPNs.

What’s the Problem?

In September 2025, SonicWall issued an urgent firmware update (version 10.2.2.2-92sv) for its Secure Mobile Access (SMA) 100 series appliances, following a detailed report from Google’s Threat Intelligence Group (GTIG). The report revealed that a sophisticated rootkit malware called OVERSTEP had been actively targeting end-of-life SMA devices—specifically models 210, 410, and 500v—compromising them with malicious components that allowed persistent access, data theft, and remote control. The malware was deployed by a threat actor dubbed UNC6148, exploiting vulnerabilities on devices nearing their support expiration date of October 1, 2025, despite the fact that Google couldn’t conclusively identify how the initial compromise occurred. SonicWall’s update addresses these threats by adding enhanced file integrity checks designed to purge malware, but it is vital for users to act immediately, especially given that attackers, possibly linked to earlier ransomware campaigns like Abyss, had already exploited these vulnerabilities for long-term data exfiltration, including credentials and certificates.

This security incident was reported by SonicWall itself, which highlighted both the severity and urgency of the threat, emphasizing that their timely firmware patch is the primary defense now available against ongoing exploitation. The company announced that earlier fixes for other vulnerabilities earlier in 2025, such as remote code execution flaws, were insufficient against these persistent threats, making the new update critical for preventing further system breaches. SonicWall urges administrators to immediately implement the update, review logs for signs of intrusion, reset credentials, and reinitialize security features to safeguard their networks—especially since the compromised devices are approaching their end-of-support lifecycle, leaving them especially vulnerable to sustained cyberattacks.

Risk Summary

SonicWall’s urgent release of firmware version 10.2.2.2-92sv for its SMA 100 series appliances aims to counteract a sophisticated cyber threat involving the OVERSTEP rootkit malware, which was actively exploited on end-of-life devices nearing their support deadline. This malware grants attackers persistent access, allows them to establish reverse shells, and exfiltrate sensitive data such as credentials and certificates, posing severe risks of unauthorized access, data breaches, and ongoing control over compromised systems. The attack, linked to the UNC6148 group and detailed in a July 2025 report by Google’s Threat Intelligence Group, underscores the danger posed by long-term malware embedded within vulnerable appliances—especially as many devices approach their end-of-support, leaving organizations exposed to exploitation, ransomware deployment, and lateral movement within networks. SonicWall’s update directly confronts these active threats, emphasizing immediate implementation to mitigate further breaches, with recommendations to review logs, reset credentials, and reinitialize OTP settings beforehand, reflecting the critical importance of timely security measures in safeguarding organizational assets against persistent, highly targeted cyber risks.

Fix & Mitigation

Ensuring rapid response to firmware vulnerabilities like the SonicWall rootkit malware "OVERSTEP" is crucial to safeguarding network integrity and preventing extensive damage. Prompt remediation helps limit potential data breaches, unauthorized access, and system disruptions that could escalate if left unaddressed.

Mitigation Steps

  • Apply Firmware Update: Install SonicWall’s latest firmware patch immediately.
  • Isolate Compromised Devices: Disconnect affected SMA devices from the network to prevent spread.
  • Conduct Vulnerability Scanning: Use security tools to identify signs of compromise across the network.
  • Reset Devices: Perform factory resets on affected devices to eliminate malware presence.
  • Monitor Traffic: Watch network activity for unusual behavior indicating ongoing malicious activity.
  • Strengthen Security: Implement stricter access controls and multi-factor authentication to prevent future attacks.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.