SonicWall has issued an pressing firmware replace, model 10.2.2.2-92sv, for its Safe Cell Entry (SMA) 100 sequence home equipment to detect and take away recognized rootkit malware.
The advisory, SNWLID-2025-0015, revealed on September 22, 2025, strongly recommends that each one customers of SMA 210, 410, and 500v units apply the replace instantly to guard towards persistent threats.
This launch introduces extra file-checking capabilities designed to purge malicious software program from compromised techniques.
The replace immediately addresses threats highlighted in a July 2025 report from Google’s Menace Intelligence Group (GTIG). Researchers detailed a marketing campaign by a menace actor, tracked as UNC6148, deploying the OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 units.
OVERSTEP is a complicated user-mode rootkit that allows attackers to keep up persistent entry by hidden elements, set up a reverse shell, and exfiltrate delicate information.
Stolen information can embrace credentials, One-Time Password (OTP) seeds, and certificates, granting the attackers long-term persistence even after firmware updates.
Patch Following Energetic Exploitation
The discharge of this firmware is a crucial step in combating lively exploitation within the wild. The GTIG report famous that the OVERSTEP rootkit was deployed on SMA units nearing their end-of-support date of October 1, 2025.
Whereas Google’s researchers couldn’t definitively decide the preliminary entry vector, they noticed vital overlaps between UNC6148’s actions and incidents involving Abyss ransomware. In earlier assaults, menace actors put in internet shells on SMA home equipment to keep up their foothold regardless of system updates.
SonicWall’s advisory acknowledges the dangers outlined by Google and urges directors to implement the safety measures detailed in a associated July data base article.
The corporate has been actively addressing a sequence of vulnerabilities in its SMA 100 home equipment all year long. In Could 2025, it patched three flaws (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) that may very well be chained for distant code execution. One other crucial flaw, CVE-2025-40599, was patched in July to forestall authenticated arbitrary file uploads.
SonicWall emphasizes that this new firmware is the first remediation for affected units working variations 10.2.1.15-81sv and earlier. There isn’t a workaround accessible.
The advisory clarifies that the vulnerability doesn’t influence the SonicWall SSL VPN SMA 1000 sequence or SSL-VPN performance working on its firewalls.
Given the lively threats and the approaching end-of-support date for the SMA 100 sequence, organizations are suggested to prioritize this replace to forestall compromise and information exfiltration.
Earlier than upgrading, directors ought to evaluate equipment logs for indicators of compromise, reset all credentials, and reinitialize OTP bindings as a precautionary measure.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
