fromSecurityWeek
1 week agoSonicWall Updates SMA 100 Appliances to Remove Overstep Malware
As part of the attacks, flagged in July by Google's Threat Intelligence Group, a threat actor tracked as UNC6148 infected fully patched SMA appliances with a persistent backdoor and user-mode rootkit that supports credential, session token, and one-time password seed theft. The threat actor likely used local administrator credentials that were stolen in previous attacks, before devices were patched, through the exploitation of known vulnerabilities, such as CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038, and CVE-2021-20039.
Information security