SonicWall VPNs Targeted by Active Exploits and Stealthy Backdoors
SonicWall Security Concerns
Exploitations of SonicWall VPNs
Unknown attackers are taking advantage of fully patched, end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. They deploy a sophisticated backdoor and rootkit identified as OVERSTEP, primarily for data theft and extortion, according to Google's Threat Intelligence Group (GTIG). The threat actor, dubbed UNC6148, is believed to be financially motivated.
Image courtesy of Help Net Security
The attack begins with the criminals utilizing compromised local administrator credentials to establish an SSL VPN session on the SonicWall appliance. It is suspected that these credentials may have been obtained through known vulnerabilities such as CVE-2021-20038, CVE-2024-38475, and others. The attackers also potentially exploited a zero-day vulnerability to deploy the OVERSTEP backdoor.
Once inside, they modify the appliance's boot process to maintain persistent access, allowing for the theft of sensitive credentials and concealment of malicious components.
Attack Mechanism
The attack process comprises several key steps:
- Establishing an SSL-VPN session using compromised local administrator credentials.
- Deploying a reverse shell despite firmware restrictions on the SMA 100 series.
- Conducting reconnaissance and modifying network access control policies.
- Installing the OVERSTEP backdoor and clearing system logs to hide tracks.
OVERSTEP's capabilities include hijacking standard API functions, exfiltrating passwords, and implementing usermode rootkit functions, which facilitate selective log deletion.
For organizations using SonicWall devices, immediate analysis for signs of compromise is advised, especially for those vulnerable to known CVEs.
Ransomware Potential
UNC6148's activities encompass data theft and extortion, with potential ransomware implications. An organization targeted in May 2025 had its data leaked on the World Leaks site shortly afterward. The overlap in UNC6148 activity with previous SonicWall exploitations raises concerns about ongoing ransomware threats.
SonicWall has acknowledged these threats and is collaborating with GTIG to enhance customer security. They are also expediting the end-of-support timeline for the SMA 100 series to mitigate risks.
SonicWall Vulnerabilities
SonicWall devices are increasingly appearing in the Cybersecurity and Infrastructure Security Agency's (CISA) catalog of known exploited vulnerabilities. Since early 2025, the number of publicly disclosed vulnerabilities has surged to 20. Four vulnerabilities, including critical command injection issues and deserialization flaws, have been actively exploited.
Attackers can exploit these vulnerabilities to achieve remote code execution as root on an SMA 100 appliance. Rapid7 researchers have stressed the urgency of applying patches to mitigate these risks.
Commonly Exploited Vulnerabilities
Some of the vulnerabilities that have been identified include:
SonicWall has released patches for these vulnerabilities, but the effectiveness of these patches has come into question due to the possibility of prior exploitation.
SonicWall's Response
SonicWall is taking active measures to address the vulnerabilities in their appliances and is working closely with researchers and security teams. They have acknowledged the urgency of transitioning customers to more secure solutions.
The company plans to accelerate the end-of-support date for the SMA 100 series to December 31, 2025, and will provide migration guidance to its Zero Trust solutions.
SonicWall's commitment to security remains a priority, as they aim to support existing users while encouraging upgrades to modern, secure technology.
For further information on SonicWall’s security measures or to explore their services, visit undefined.