Listen to this Post
A Silent Storm: The New Frontline in Network Security
A new cyber threat has emerged targeting SonicWall SMA 100 series appliances—devices widely used by businesses to secure remote access. The vulnerability, tracked as CVE-2025-40599, carries a critical CVSS score of 9.1 and opens the door to stealthy, persistent attacks. At the center of this digital assault is OVERSTEP, a sophisticated backdoor and rootkit engineered to infiltrate deeply and remain undetected. Behind the campaign is a threat actor identified as UNC6148, already notorious for ransomware-linked attacks and data extortion. This case isn’t just a warning; it’s a wake-up call for every organization using SonicWall hardware.
🔍 the Original Report
SonicWall has patched a major vulnerability (CVE-2025-40599) in its SMA 100 series appliances, which allowed remote attackers with administrative access to upload arbitrary files and possibly execute remote code. This vulnerability affected all versions up to 10.2.1.15-81sv, and users are urged to upgrade to 10.2.2.1-90sv or later.
The exploit is being actively leveraged by a group called UNC6148, who deploys custom malware called OVERSTEP. This malware is highly advanced, combining a backdoor with a user-mode rootkit. It’s engineered to provide long-term access, hide its activities, and enable remote command execution. UNC6148 reportedly stole admin credentials and OTP seeds in earlier breaches, which they reused to reinfiltrate patched systems.
GTIG (Google Threat Intelligence Group) believes the attack may have started via a zero-day RCE vulnerability. In one case from June 2025, UNC6148 compromised a SonicWall device, launched a reverse shell, performed reconnaissance, and eventually deployed the OVERSTEP rootkit. The malware rewrites boot scripts, timestomps system files, and locks critical files with immutability flags to prevent deletion. It also uses command injection through hijacked web log functions to stay active.
Commands like dobackshell (for reverse shell) and dopasswords (to exfiltrate sensitive data) are delivered via normal web traffic, making detection harder. Logs are also tampered with to erase traces of these commands. SonicWall confirmed other victims exist, and the campaign appears linked to past incidents involving Abyss/VSOCIETY ransomware. Despite limited financial attribution, the evidence suggests a long-term data extortion strategy in play.
💬 What Undercode Say:
The SonicWall/OVERSTEP breach exposes a chilling new chapter in the playbook of advanced persistent threats (APT). While SonicWall has long been a staple in remote access security infrastructure, this incident reveals a systemic blind spot: credential hygiene and trust in administrative-level access.
Firstly, the flaw (CVE-2025-40599) is not just a programming
The real threat, however, lies in OVERSTEP’s capabilities. It doesn’t just infect—it embeds. Its usage of /etc/ld.so.preload, hijacking system calls, injecting malicious code into INITRD, and persisting across reboots through bootloader manipulation shows surgical malware engineering. This isn’t malware crafted in haste—this is months of R\&D weaponized for stealth and durability.
From a forensic point of view, it’s even more dangerous. By clearing logs, using timestomping, and removing traces from buffer memory, it prevents digital autopsies. Security teams may not even realize they’ve been compromised until the damage is done and leaked.
Moreover, the involvement of OTP seed theft underscores the urgent need for multi-factor authentication (MFA) hardening. OTPs, once considered safe, are now shown to be persistently vulnerable if seed vaults or devices are breached. Rotating OTP seeds and enforcing device trust policies are no longer optional—they are mission critical.
The biggest red flag is UNC6148’s tactics overlapping with known ransomware operations. We are possibly watching the pre-ransomware phase play out in real-time. The similarities to Abyss ransomware, the appearance of victims on “World Leaks”, and the gap between infiltration and data publication all hint at an extended, monetized threat lifecycle.
And while SonicWall has patched the known flaw, legacy systems, unmonitored VPN sessions, and weak admin controls remain open wounds. Enterprises need to assume breach, audit their logs with alternate methods, and consider rootkit-detection strategies that look outside conventional antivirus telemetry.
In essence, this isn’t a one-off exploit. It’s a blueprint for long-term compromise. OVERSTEP may very well become the new benchmark in stealth malware—and a case study in how trust, once broken, becomes the most dangerous vulnerability of all.
🔍 Fact Checker Results
✅ CVE-2025-40599 is officially acknowledged and patched by SonicWall.
✅ UNC6148’s malware (OVERSTEP) and its rootkit behaviors are confirmed by GTIG and third-party researchers.
✅ OTP seed reuse and credential-based re-entry have been documented across multiple breaches.
📊 Prediction: More Stealth Malware Ahead
We predict OVERSTEP is just the beginning of a new malware generation focused on persistent rootkit deployment within edge appliances and VPN gateways. Expect to see copycat variants targeting Fortinet, WatchGuard, and Cisco devices by early 2026. If trends continue, ransomware operators will adopt these stealth entry techniques for pre-positioning in enterprise environments months before extortion begins. The era of “quiet before the ransom” is here—and it’s just getting louder.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
