Urgent Advisory for Addressing Rootkits and Other Critical Vulnerabilities in SonicWall SMA 100 Series Appliances

Applies to: SMA 100 Series Physical and Virtual Appliances (SMA 210, 410, 500v)
Date: July 2025
Severity: Critical (multi-vector) Recommended Firmware Version: 10.2.2.1-90sv or higher
CVE References:

• CVE-2024-38475 (published Dec. 2024; Actively exploited – session hijacking)
• CVE-2025-40599 (No current exploitation – authenticated file upload)
• Identified Threat: OVERSTEP (user-mode rootkit)
• Threat Actor: UNC6148
• Source: Google Threat Intelligence Group (GTIG), including Mandiant
• Reference Advisory: SNWLID-2024-0018

Overview

The Google Threat Intelligence Group (GTIG), including Mandiant, has identified active exploitation campaigns targeting SonicWall SSLVPN SMA 100 Series appliances. These threats involve:

• Exploitation of CVE-2024-38475 (published Dec. 2024), enabling session hijacking
• Deployment of OVERSTEP, a persistent and stealthy user-mode rootkit
• Use of previously stolen administrator credentials and OTP secrets to regain access to patched systems

In addition, CVE-2025-40599, an authenticated arbitrary file upload vulnerability, has been disclosed. While there is currently no evidence of active exploitation, GTIG highlights this as a potential risk, and SonicWall strongly recommends customers take precautionary steps set forth below.

Threat Details

OVERSTEP Rootkit

• Modifies the boot process to maintain access
• Hides files and activity while stealing credentials and OTP secrets
• Removes log entries to evade detection
• Requires a clean system rebuild to ensure full removal

CVE-2024-38475 – Path Traversal & Session Hijack

Status: Actively exploited

• Enables unauthorized access to sensitive session files
• Facilitates hijacking of administrator sessions
• Resolved in firmware version 10.2.1.14-75sv

CVE-2025-40599 – Authenticated File Upload (Potential RCE)

Status: Not exploited as of this advisory

• Exploitation requires administrator privileges
• Allows upload of arbitrary files, which may lead to remote code execution
• Resolved in firmware version 10.2.2.1-90sv

Required Actions

1. Upgrade Firmware Immediately
   Ensure all SMA 100 Series devices are running: Firmware version 10.2.2.1-90sv or later
   This version includes patches for both vulnerabilities and other security improvements. Download the latest firmware at MySonicWall.com.
2. Replace and Rebuild SMA 500v
   For organizations running SMA 500v, SonicWall strongly recommends performing a full replacement and rebuild of the virtual appliance as a precautionary measure, even if no compromise is confirmed. This recommendation is based on the stealthy nature of the OVERSTEP rootkit, the risk of credential and OTP theft, and the possibility that previously compromised appliances may still be vulnerable despite patching.
   

   Steps to Perform a Clean Rebuild:

   • (Optional) Retain a backup of the virtual image only if needed for internal review
   • Power off and delete the current SMA 500v virtual machine, including all attached virtual disks and snapshots
   • Deploy a fresh image:
     • Download the latest clean virtual appliance image from MySonicWall.com
     • Verify the image checksum before deployment
     • Ensure the deployed image is upgraded to firmware version 10.2.2.1-90sv or higher
   • Rebuild configuration manually:
     • Do not reuse old configurations or backups
     • Reset all user and administrator passwords
     • Revoke and reissue any certificates stored on the previous appliance
     • Reset all OTP bindings (see next section)
       This process ensures that any unauthorized changes or persistent threats from earlier intrusions are fully eliminated.
3. Reset OTP Bindings for All Users
   GTIG reports that attackers reused OTP seeds stolen during previous intrusions. To prevent re-access:
   
   • Navigate to: Users|Local Users |[Select User] |Edit |Login Policies
   • Click Clear App Info
   • Users must re-bind their mobile authenticator apps (e.g., Google Authenticator) on next login
4. Apply Hardening Measures
   SonicWall strongly recommends the following practices for all SMA 100 Series deployments:
   
   • Disable remote management access on the X1 (WAN-facing) interface
   • Enforce Multi-Factor Authentication (MFA) for all users
   • Reset all passwords (admin, local, directory users)
   • Enable Web Application Firewall (WAF)
   • Replace any certificates with private keys stored on the appliance
   • Review logs and session histories for unusual access or anomalies

Indicators of Potential Compromise

• Gaps or deletions in SMA logs.
• Unexpected reboot of appliance
• Persistent or unexplained administrator sessions
• Configuration changes made without user authorization
• Reoccurring access following patching or resets.

If any of these signs are present, a full rebuild and credential rotation is necessary. Ensure to continue monitoring for the above indicators of compromise. Implement an external syslog collector to assist in monitoring for these conditions (SMA 100 Series Logging: Storage and Rotation ).

Resources

• GTIG Blog: OVERSTEP Rootkit Campaign
• SonicWall Advisory SNWLID-2024-0018
• Firmware Downloads – MySonicWall
• SMA 100 Administrator Guide

Support and Contact

If you need assistance or observe unusual appliance behavior:

• Contact SonicWall Support
• Provide SMA system logs (if available) and TSR, and a description of observed activity.
  • How to Download TSR