SonicWall has addressed a critical vulnerability, CVE-2025-40599, in its SMA 100 appliances, which has a CVSS score of 9.1 and allows attackers to upload arbitrary files and potentially execute remote code.

In addition to this critical flaw, SonicWall released patches for three other high-severity vulnerabilities in the SMA 100 series, including issues related to buffer overflow and cross-site scripting, all of which can be exploited remotely without authentication.

Recent alerts from both Sophos and SonicWall highlight critical vulnerabilities in their firewall and Secure Mobile Access (SMA) 100 Series devices, which could lead to remote code execution.

The Google Threat Intelligence Group reported that a threat actor known as UNC6148 has been deploying a new rootkit malware called OVERSTEP on these devices, raising concerns about data theft and extortion.

Although there is currently no evidence that the CVE-2025-40599 vulnerability is being actively exploited, SonicWall urges users of SMA 210, 410, and 500v appliances to check for signs of compromise due to related attack campaigns.

SonicWall emphasizes the urgency for organizations to secure their devices in light of the reported attacks by UNC6148, which have involved the deployment of the OVERSTEP malware on SMA 100 appliances.

To mitigate risks, SonicWall recommends that users disable remote management access, reset passwords, enforce multi-factor authentication, and review appliance logs for any anomalies.

Investigations revealed that UNC6148 has been using stolen administrative credentials to compromise SonicWall SMA 100 series appliances, manipulate device settings, and deploy the Overstep rootkit.

The OVERSTEP malware is a sophisticated backdoor that can hijack standard library functions, conceal its presence, and allow remote command execution and data exfiltration.

SonicWall continues to recommend updating firmware despite the lack of current evidence for active exploits, due to potential risks highlighted by recent intelligence regarding attacks targeting older vulnerabilities.

The vulnerabilities addressed include CVE-2025-6704, which involves an arbitrary file writing flaw, and CVE-2025-7624, which is an SQL injection vulnerability in the legacy SMTP proxy.

Organizations using the SMA 500v should take additional precautions, such as backing up OVA files and configurations, and redeploying the software from SonicWall.