×
Uncategorized

SonicWall Issues Emergency Patch to Remove ‘OVERSTEP’ Rootkit Malware on SMA Devices

SonicWall has released an urgent software update for its Secure Mobile Access (SMA) 100 Series appliances to remove a dangerous rootkit known as ‘OVERSTEP.’

This backdoor malware was discovered in older SMA firmware versions and can give attackers persistent access to affected devices.

The new build, version 10.2.2.2-92sv, adds additional file checking to detect and eliminate this hidden threat.

SonicWall first published Advisory SNWLID-2025-0015 on September 22, 2025, and immediately marked it as critical for all users of the SMA 210, SMA 410, and SMA 500v models.

The OVERSTEP rootkit was detailed by the Google Threat Intelligence Group (GTIG) in a blog post highlighting how older SMA firmware could be exploited to install backdoors and steal sensitive data.

Although SonicWall’s advisory does not assign a CVE or CVSS score, the vendor emphasizes that the risk is significant due to the rootkit’s ability to evade normal detection methods.

Organizations running SMA 100 Series devices on version 10.2.1.15-81sv or earlier are urged to take prompt action to avoid potential compromise.

Impact

Devices infected with the OVERSTEP rootkit can maintain unauthorized access even after routine reboots and security scans.

Attackers could use this persistence to steal credentials, intercept internal traffic, or deploy additional malware.

While no public reports confirm widespread exploitation, the combination of stealth and remote control capabilities makes this rootkit a serious threat.

SonicWall’s patch introduces enhanced file integrity checks to identify and remove any OVERSTEP components lingering on the appliance. This update also hardens the SMA system against similar kernel-level threats in the future.

IT teams should assume that any appliance running an unsupported firmware version could already be compromised.

The advisory notes that this issue does not affect the older SMA1000 Series or the SSL-VPN service on standard SonicWall firewalls.

However, mixed environments that include both SMA100 and other SonicWall products may require coordinated updates and verification steps to ensure full protection across the network.

SonicWall strongly recommends that all customers using SMA 100 Series appliances immediately download and install version 10.2.2.2-92sv or later.

Administrators should log into the SMA management console and follow the standard firmware upgrade procedure.

After updating, teams must perform a full file system scan on the appliance to confirm that any traces of the OVERSTEP rootkit have been removed.

In addition to applying the patch, organizations should review their network logs for signs of unauthorized access, especially around the time frame when older firmware was in use.

It is also advisable to rotate any credentials that were stored or processed by the SMA device and to monitor for unusual traffic patterns post-remediation.

By acting swiftly to install this emergency patch, organizations can ensure that their remote access infrastructure remains secure against the OVERSTEP rootkit threat and maintain the integrity of their internal networks.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by