bleepingcomputer.com
by Sergiu Gatlan
September 23, 2025
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.
"SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices," the company said in a Monday advisory.
"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."
The update follows a July report from researchers at the Google Threat Intelligence Group (GTIG), who observed a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices that will reach end-of-support next week, on October 1, 2025.
OVERSTEP is a user-mode rootkit that enables attackers to maintain persistent access by using hidden malicious components and establishing a reverse shell on compromised devices. The malware steals sensitive files, including the persist.database and certificate files, providing hackers with access to credentials, OTP seeds, and certificates that further enable persistence.
While the researchers have not determined the goal behind UNC6148's attacks, they did find "noteworthy overlaps" with Abyss-related ransomware incidents.
For instance, in late 2023, Truesec investigated an Abyss ransomware incident in which hackers installed a web shell on an SMA appliance, enabling them to maintain persistence despite firmware updates. In March 2024, InfoGuard AG incident responder Stephan Berger reported a similar SMA device compromise that also resulted in the deployment of Abyss malware.
"The threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk of using older versions of SMA100 firmware," SonicWall added on Monday, urging admins to implement the security measures outlined in this July advisory.
Last week, SonicWall warned customers to reset credentials after their firewall configuration backup files were exposed in brute-force attacks targeting the API service for cloud backup.
In August, the company also dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls using a potential zero-day exploit, clarifying that the issue was tied to a critical vulnerability (CVE-2024-40766) that was patched in November 2024.
The Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 later confirmed that the Akira gang is exploiting this vulnerability to target unpatched SonicWall devices.
cyberscoop.com
By
Matt Kapko
September 17, 2025
SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files.
The company confirmed to CyberScoop that an unidentified cybercriminal accessed SonicWall’s customer portal through a series of brute-force attacks.
SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.
The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”
While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.
This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices.
“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop.
“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added.
SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said.
“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added.
SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm.
Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”
SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.
Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said.
“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.
Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks.
Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.
therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.
Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.
SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.
The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.
SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.
The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.
At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.
“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.
The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.
When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”
Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”
Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.
A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.
“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.
He confirmed that the incidents Huntress examined also involved Akira ransomware.
'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.
“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.
“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.
Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.
In April of 2025, Rapid7 discovered and disclosed three new vulnerabilities affecting SonicWall Secure Mobile Access (“SMA”) 100 series appliances (SMA 200, 210, 400, 410, 500v). These vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821. An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution. These vulnerabilities have been fixed in version 10.2.1.15-81sv.
Rapid7 would like to thank the SonicWall security team for quickly responding to our disclosure and going above and beyond over a holiday weekend to get a patch out.
Another day, another edge device being targeted - it’s a typical Thursday!
In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while.
Specifically, today, we’re going to be analyzing and reproducing:
CVE-2024-38475 - Apache HTTP Pre-Authentication Arbitrary File Read
Discovered by Orange Tsai
Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's usage of the vulnerable version.
This makes the situation confusing for those responding to CISA's KEV listing - CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices.
You can see this evidenced in SonicWall's updated PSIRT advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
CVE-2023-44221 - Post-Authentication Command Injection
Discovered by "Wenjie Zhong (H4lo) Webin lab of DBappSecurity Co., Ltd”
As of the day this research was published, CISA had added these vulnerabilities to the Known Exploited Vulnerabilities list.
Do you know the fun things about these posts? We can copy text from previous posts about edge devices:
Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
IMPORTANT: SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors. We strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability.
Please note that SonicWall Firewall and SMA 100 series products are not affected by this vulnerability.
SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is
Discover Bishop Fox's survey on the current state of SonicWall appliances on the public internet.
Fog and Akira ransomware operators have increased their exploitation efforts of CVE-2024-40766, a critical access control flaw that allows unauthorized access to resources on the SSL VPN feature of SonicWall SonicOS firewalls.
In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices.
Ransomware affiliates exploit a critical security vulnerability in SonicWall SonicOS firewall devices to breach victims' networks.
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.
This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
SonicWall discovered the Apache OFBiz flaw, identifying it as a critical issue enabling unauthenticated remote code execution
Overview This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately […]
Overview The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file […]
Majority of public-facing devices still unpatched against critical vulns from as far back as 2022
Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass – CVE-2023-34133 Title: Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass Risk: 9.8 (Critic…
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authe…
