SonicWall has released a firmware update designed to help customers detect and remove rootkit malware found on its SMA 100 series devices, following targeted attacks by an advanced threat group.
The update, version 10.2.2.2-92sv, introduces enhanced file-checking capabilities that can eliminate known malware components, including the OVERSTEP rootkit. The company urges all users of the SMA 100 series, including SMA 210, 410, and 500v models, to upgrade as soon as possible.
The release comes in response to a July report from the Google Threat Intelligence Group (GTIG), which observed the UNC6148 threat actor deploying OVERSTEP malware on end-of-life SMA 100 devices. These devices are set to reach end-of-support on October 1, 2025.
OVERSTEP is a user-mode rootkit that enables attackers to maintain persistent access, steal sensitive files such as credentials and certificates, and establish a hidden reverse shell. The malware is also linked to broader cybercrime activity, including overlaps with Abyss ransomware incidents investigated throughout 2023 and 2024.
“The threat intelligence report from GTIG highlights the potential risk of using older versions of SMA100 firmware,” SonicWall noted in its advisory.
In recent months, SonicWall has dealt with a series of cybersecurity incidents. In particular, this month SonicWall recommended users to reset credentials after firewall configuration backup files were exposed in brute-force attacks against its cloud backup API. Also, there were reports that threat actors linked to the Akira ransomware group have ramped up attacks targeting SonicWall devices using CVE-2024-40766.