"As part of the attacks, flagged in July by Google's Threat Intelligence Group, a threat actor tracked as UNC6148 infected fully patched SMA appliances with a persistent backdoor and user-mode rootkit that supports credential, session token, and one-time password seed theft. The threat actor likely used local administrator credentials that were stolen in previous attacks, before devices were patched, through the exploitation of known vulnerabilities, such as CVE-2025-32819, CVE-2024-38475, CVE-2021-20035, CVE-2021-20038, and CVE-2021-20039."
"This week, SonicWall announced the release of SMA 100 software version 10.2.2.2-92sv, which includes "additional file checking, providing the capability to remove known rootkit malware present on the SMA devices". All SMA 210, 410, and 500v appliances running 10.2.1.15-81sv and earlier software versions are impacted, SonicWall notes. The company urges all organizations using SMA 100 series appliances to review and implement security steps outlined in its July advisory."
A threat actor tracked as UNC6148 infected fully patched SMA 100 appliances with a persistent backdoor and user-mode rootkit that steals credentials, session tokens, and one-time password seeds. The actor likely used local administrator credentials stolen in previous attacks via exploitation of known CVEs including CVE-2025-32819 and CVE-2024-38475. Google released IoCs and detection rules in July to aid detection and blocking. SonicWall released SMA 100 software version 10.2.2.2-92sv that adds additional file checking and the capability to remove known rootkit malware. All SMA 210, 410, and 500v appliances running 10.2.1.15-81sv and earlier are impacted. SonicWall plans to deactivate SMA100 appliances on October 31, 2025, and recommends migration to modern remote access solutions.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]