SonicWall SMA firmware update addresses persistent malware

On September 22, 2025, SonicWall released firmware version 10.2.2.2-92sv for its Secure Mobile Access (SMA) 100 Series appliances, including SMA 210, 410, and 500v. The release addresses the impact caused by a persistent malware Google Threat Intelligence Group (GTIG) reported on in July 2025.

Between October 2024 and mid-2025, threat actor UNC6148 exploited end-of-life SonicWall Secure Mobile Access (SMA) 100 Series appliances to deploy a persistent user-mode rootkit known as OVERSTEP. The malware targeted SMA 210, 410, and 500v models, enabling reverse shell access, credential theft, and anti-forensic behavior. It remained active across firmware updates and was linked to ransomware operations.

OVERSTEP modifies the boot process, hides its presence, and steals credentials and one-time password (OTP) secrets. It has been observed maintaining persistence across firmware upgrades and enabling lateral movement within compromised environments. The 10.2.2.2-92sv build introduces file integrity checks and enhanced protections to detect and remove this rootkit, making it the first version of the firmware capable of addressing the persistent malware from affected appliances.

Note that this update does not affect SonicWall SSL VPN SMA1000 series products or SSL-VPN running on SonicWall firewalls.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

This update is critical for organizations using noted devices, especially those exposed to the internet or operating legacy infrastructure. Remote access infrastructure is a high-value target, and legacy appliances pose a persistent risk. The campaign demonstrates that firmware updates alone may not be sufficient to remove persistent threats.

SonicWall’s advisory contains a multi-step mitigation plan. First, all SMA 100 Series appliances should be upgraded to firmware version 10.2.2.1-90sv or later. Firmware is available via MySonicWall.com.

For virtual appliances such as SMA 500v, SonicWall recommends a full rebuild - even if compromise is not confirmed. This involves deleting the current virtual machine, deploying a fresh image, verifying checksums, and manually rebuilding configurations. Reusing old backups or configurations is strongly discouraged due to the risk of reinfection.

All administrator, directory and user passwords should be reset. Certificates stored on the appliance should be revoked and reissued. OTP bindings must be cleared for all users to prevent reuse of stolen seeds. This can be done by navigating to the user’s login policies and selecting “Clear App Info,” which forces re-binding of mobile authenticator apps on next login.

Additional hardening measures include disabling remote management access on WAN-facing interfaces, enforcing multi-factor authentication (MFA), enabling the Web Application Firewall (WAF), and implementing external syslog collection for log integrity. Indicators of compromise include missing logs, unexplained reboots, persistent administrator sessions, and unauthorized configuration changes. If any of these signs are present, a full rebuild and credential rotation is required.

Managed Service Providers overseeing SonicWall environments should verify that all client deployments are running the latest firmware version and confirm that credential resets and certificate reissuance have been properly implemented.