Overview
- SonicWall released SMA 100 version 10.2.2.2-92sv with file checking designed to identify and remove known rootkit malware from affected devices.
- The firmware also addresses CVE-2024-38475 and CVE-2025-40599, expanding protections beyond rootkit removal.
- Researchers attribute the OVERSTEP user‑mode rootkit to UNC6148, noting persistence across reboots, a reverse shell, log clearing, and theft of persist.database and certificate files.
- SonicWall urges customers to rebuild or replace compromised appliances, rotate all credentials, replace certificates stored on devices, and require users to re-bind mobile authenticators.
- SonicWall and CISA warned of brute-force attacks on the cloud backup service with configuration data accessed for fewer than 5% of firewall devices, while ACSC and Rapid7 confirmed separate Akira activity exploiting CVE-2024-40766 on unpatched gear.