SonicWall has addressed a critical security vulnerability impacting its Secure Mobile Access (SMA) 100 series devices by releasing an urgent firmware patch. This action follows recent reports of sophisticated malware attacks targeting these devices, underscoring the urgent need for organizations to secure their networks promptly.
Critical Vulnerability Details
The vulnerability, identified as CVE-2025-40599 with a CVSS score of 9.1, involves an arbitrary file upload flaw within the SMA 100 web management interface. Exploitation of this vulnerability enables remote code execution (RCE) by attackers possessing administrative credentials. Affected models include the SMA 210, SMA 410, and SMA 500v devices. Notably, the SMA 1000 series and SonicWall firewall SSL-VPN modules are not impacted.
SonicWall’s patch, integrated into firmware version 10.2.2.1-90sv, mitigates this vulnerability and several others, including buffer overflow and cross-site scripting (XSS) flaws (CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598). These additional vulnerabilities, some exploitable without authentication, have not yet been observed in the wild.
Active Threat Landscape
Google’s threat intelligence highlights a financially motivated threat actor group, UNC6148, actively targeting SMA 100 devices, including those fully patched but beyond their end-of-life status. The group’s “Overstep” malware manipulates device boot processes to achieve persistence, exfiltrate data, and potentially enable ransomware deployment or cyber extortion.
Attackers reportedly leverage stolen administrator credentials and exploit previously known vulnerabilities (such as CVE-2025-32819 and CVE-2024-38475) to gain unauthorized access. This combination of credential compromise and exploit chains has facilitated widespread infections of SMA appliances.
Recommended Actions for Organizations
To defend against these sophisticated attacks, SonicWall and security experts recommend the following measures:
- Immediate Firmware Update: Upgrade all SMA 100 series devices to firmware version 10.2.2.1-90sv or later without delay.
- Credential Management: Reset all administrative passwords, particularly if there is any suspicion of credential exposure.
- Multi-Factor Authentication (MFA): Enforce MFA for all administrative access points to reduce the risk of unauthorized logins.
- Malware Detection and Remediation: Conduct thorough inspections for indicators of compromise related to Overstep malware and affiliated threat groups.
- Virtual Machine (VM) Hygiene for SMA 500v: Backup current configurations, remove potentially compromised VM instances, and redeploy fresh OVA images from SonicWall repositories.
