SonicWall OVERSTEP Rootkit Campaign
SonicWall Releases Urgent Update to Remote Rootkit Malware from SMA Devices
Introduction
On September 22, 2025, SonicWall released an emergency firmware update (version 10.2.2.2-92sv) to neutralize a sophisticated rootkit attack on its Secure Mobile Access (SMA) 100 series appliances. The malware, named OVERSTEP, represents a new era of network infrastructure attacks, enabling threat actors to achieve stealthy boot-level persistence, steal critical credentials, and survive traditional patching methods. This campaign, orchestrated by the financially motivated group UNC6148, forced SonicWall to accelerate the End-of-Life (EOL) of SMA 100 devices from October 2027 to October 31, 2025, leaving organizations just weeks to update or replace their hardware.
The UNC6148 Threat Actor
The attack is attributed to UNC6148, a financially driven cybercriminal group with ties to ransomware operators such as Abyss/VSOCIETY.
Key Characteristics of UNC6148:
Primary Goal: Credential theft, persistent access, and potential extortion.
Initial Access: Used stolen administrator credentials and exploited multiple SonicWall vulnerabilities (including CVE-2025-32819 and CVE-2024-38475).
Campaign Start: First activity observed in October 2024, escalating steadily through 2025.
Tactics: Opportunistic targeting of end-of-life network appliances, selective log removal, and advanced stealth operations.
OVERSTEP Rootkit – Anatomy of the Attack
The OVERSTEP rootkit is a custom Linux user-mode malware engineered to hijack SonicWall’s operating environment.
Core Features:
32-bit ELF Payload: Hooks critical system calls (
open(),read(),stat()) to conceal malicious processes.Boot-Level Persistence: Embeds into the initial RAM disk (INITRD) and modifies
/etc/ld.so.preloadto inject itself into every process.Anti-Forensics: Selectively removes logs and uses timestomping to disguise file changes.
Survivability: Remains active even after standard firmware upgrades, making removal exceptionally difficult.
Attack Methodology
Credential-Driven Access UNC6148 gained entry using pre-harvested administrator credentials, bypassing standard login protections.
Privilege Escalation & Reconnaissance Attackers enumerated device configurations, mapped network topologies, and harvested stored credentials, including one-time password (OTP) seeds and SSL certificates.
Rootkit Deployment The OVERSTEP binary was staged on the device, with malicious code injected into INITRD and boot scripts to ensure persistence.
Stealth Operations System call hooking and selective log tampering allowed the rootkit to remain undetected for months.
Post-Compromise Actions Attackers continuously harvested user credentials, session tokens, and private keys while maintaining covert command-and-control channels.
Exploited Vulnerabilities
UNC6148 chained multiple SonicWall flaws to maximize access and survivability:
CVE-2025-32819: Authentication bypass vulnerability.
CVE-2024-38475: Path traversal enabling session hijacking.
CVE-2021-20038: Unauthenticated remote code execution (legacy but still relevant).
CVE-2021-20039: SQL injection in authentication bypass.
These weaknesses allowed attackers to gain privileged access even on partially patched systems.
Campaign Timeline
October 2024: Initial UNC6148 activity observed targeting SMA appliances.
January 2025: Evidence of credential exfiltration begins.
May 2025: First victim organization data surfaces on “World Leaks” extortion site.
July 2025: Google Threat Intelligence publishes detailed analysis of OVERSTEP.
September 22, 2025: SonicWall releases urgent firmware update to remove the rootkit.
SonicWall’s Defensive Response
The 10.2.2.2-92sv firmware update introduces automated detection and removal capabilities:
Key Capabilities:
File Integrity Verification: Cryptographic checks of system binaries.
INITRD Analysis: Detection of malicious boot-time modifications.
Automated Cleanup: Removal of injected libraries and restoration of original boot scripts.
Incident Logging: Generates forensic reports for compromised devices.
The patch also addresses other critical flaws, including an authenticated file upload vulnerability (CVE-2025-40599).
Immediate Actions for Organizations
Apply the Firmware Update Immediately Download from SonicWall’s support portal, schedule a maintenance window, and verify successful installation.
Rotate Credentials and Certificates Reset administrator and user passwords, regenerate SSL/TLS certificates, and rebind all multi-factor authentication tokens.
Preserve Evidence Capture disk images and network logs before updating to support forensic investigations.
Enhance Monitoring Deploy SIEM tools, review VPN logs for unusual sessions, and monitor for lateral movement inside the network.
End-of-Life Acceleration & Migration Strategy
Due to the severity of the threat, SonicWall has moved the SMA 100 series end-of-life date to October 31, 2025. After this deadline:
All functionality will cease, including VPN and remote access services.
No security updates or technical support will be provided.
Devices will effectively become dead hardware.
Migration Options:
SonicWall Cloud Secure Edge (CSE) – Cloud-native remote access solution.
SMA 1000 Series – Next-generation hardware with extended support through 2030.
Third-Party Solutions – Alternatives such as OpenVPN, Cisco AnyConnect, Palo Alto Prisma Access, or Zscaler Private Access.
Organizations must plan and execute migration before the October deadline to maintain secure remote connectivity.
Industry Implications
The OVERSTEP campaign highlights systemic issues in network infrastructure security:
Detection Blind Spots: Network appliances typically lack endpoint detection coverage.
Firmware Security Gaps: Boot-level modifications evade conventional scans.
Delayed Patch Cycles: Legacy infrastructure creates long-lived attack surfaces.
This attack underscores the need for:
Zero Trust Architecture to limit lateral movement.
Continuous Monitoring with behavioral anomaly detection.
Vendor Accountability for long-term device security and end-of-life transparency.
Conclusion
The SonicWall OVERSTEP rootkit campaign is a watershed moment in network security. It proves that determined threat actors can weaponize end-of-life appliances to gain stealthy, persistent access to enterprise networks—despite patches and traditional defenses.
SonicWall’s rapid firmware release provides a critical stopgap, but organizations must act immediately:
Patch today, even if migration is underway.
Retire legacy hardware before the EOL cutoff.
Invest in long-term infrastructure security to stay ahead of future appliance-level threats.
The lesson is clear: edge devices are no longer just gateways—they are prime targets. Only proactive lifecycle management and automated, AI-driven defenses can keep tomorrow’s infrastructure compromises at bay.
Last updated
Was this helpful?