SonicWall has issued an urgent firmware update, version 10.2.2.2-92sv, for its Secure Mobile Access (SMA) 100 series appliances, aiming to detect and remove the persistent OVERSTEP rootkit malware. This update is crucial for users of SMA 210, 410, and 500v devices, as it introduces enhanced file-checking capabilities designed to purge malicious software from compromised systems.
The OVERSTEP rootkit, a sophisticated user-mode malware, enables attackers to maintain persistent access, establish reverse shells, and exfiltrate sensitive data, including credentials, One-Time Password (OTP) seeds, and certificates. This allows attackers to regain access even after firmware updates. The malware was notably deployed on end-of-life (EoL) SonicWall SMA 100 devices, which are approaching their end-of-support date on October 1, 2025.
The initial access vector for OVERSTEP remains unclear, but overlaps have been observed between the activities of the threat actor UNC6148 and incidents involving Abyss ransomware. In previous attacks, threat actors installed web shells on SMA appliances to maintain their foothold despite system updates.
SonicWall has been actively addressing vulnerabilities in its SMA 100 appliances throughout the year. In May 2025, it patched three flaws (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) that could be chained for remote code execution. Another critical flaw, CVE-2025-40599, was patched in July to prevent authenticated arbitrary file uploads.
Given the active threats and the approaching end-of-support date for the SMA 100 series, organizations are advised to prioritize this update to prevent compromise and data exfiltration. Before upgrading, administrators should review appliance logs for indicators of compromise, reset all credentials, and reinitialize OTP bindings as a precautionary measure.
