SonicWall SMA Devices Compromised by OVERSTEP Rootkit

Overview

In mid-2025, a stealthy and persistent Linux rootkit—dubbed OVERSTEP—was discovered targeting SonicWall SMA 100 series appliances. These devices, even when fully patched, had reached end-of-life (EoL) but were still widely deployed in perimeter VPN roles.

The attack is attributed to a financially motivated threat actor known as UNC6148, with strong forensic ties to ransomware and data extortion operations. This campaign’s sophistication and the ability to persist on patched systems reveal a dangerous new approach to exploiting outdated infrastructure.

How It Works

The attackers likely used a combination of stolen credentials and exploitation of known vulnerabilities, including CVE‑2021‑20038, CVE‑2024‑38475, and CVE‑2025‑32819. These flaws allowed remote code execution and file uploads.

Once access was gained, the malware payload—OVERSTEP—was deployed. It is a 32-bit user-mode ELF rootkit compiled for Intel x86, designed specifically for SonicWall’s Linux-based firmware.

OVERSTEP persists by modifying /etc/ld.so.preload to inject itself into all processes and tampering with startup scripts such as /etc/rc.d/rc.fwboot. It hides its presence by hijacking system calls like open, readdir, and write, preventing its files and activity from being visible.

It also collects sensitive data—including user credentials, OTP seeds, and device certificates—and stores them in web-accessible paths for remote retrieval. Logs and shell history are selectively deleted to cover its tracks.

Risks and Implications

A compromised SMA 100 device becomes a permanent backdoor. Even fully updated units are vulnerable to persistent rootkit behavior.

Once deployed, OVERSTEP enables long-term credential theft, unauthorized access to internal systems, and potential lateral movement. This is not theoretical: stolen credentials have been reused in ransomware and extortion campaigns within weeks of discovery.

Since OVERSTEP operates at the system level, it cannot be reliably detected without offline forensic imaging. Live systems are unable to see the malware due to its function-level evasion techniques.

Real-World Examples

In one confirmed case, a North American manufacturer’s SMA device was compromised. After credentials were harvested, a ransomware attack followed, linked to the Abyss/VSociety group.

A healthcare provider in Europe discovered credential leaks and unusual VPN behavior. Analysis confirmed OVERSTEP was present, and data was already posted on a dark web forum.

Recommendations

Any SonicWall SMA 100 device should be considered potentially compromised. Even if patched, the architecture does not support the defenses needed to detect or contain a rootkit like OVERSTEP.

Organizations should immediately isolate these devices from their networks, perform forensic imaging, and begin full credential rotation—including passwords, OTP seeds, and certificates that passed through the device.

Long-term, these appliances should be replaced. SonicWall has extended support to December 31, 2025, but that does not address the architectural flaws exposed by this campaign. Upgrading to supported solutions like the SMA 1000 series or Cloud Secure Edge is strongly advised.

Indicators of compromise (IoCs) and more technical details are available from Google Threat Intelligence and Mandiant.

Final Thoughts

OVERSTEP demonstrates how legacy systems—even when patched—can become silent entry points for advanced threats. It’s not enough to maintain software updates; organizations must evaluate whether a system is fundamentally capable of resisting modern persistence mechanisms.

If your perimeter VPN is built on aging infrastructure, you may already be vulnerable. The time to act is now.