Google Finds Backdoor in SonicWall SMA Appliances

Updated: July 20, 2025 – Researchers from the Google Threat Intelligence Group (GTIG) have identified a sophisticated custom backdoor, dubbed Overstep, being deployed by the threat actor UNC6148 on SonicWall Secure Mobile Access (SMA) appliances. The campaign targets end-of-life devices that continue to operate at the network edge of countless enterprises worldwide.

Overview of the Threat

SonicWall SMA appliances authenticate and secure remote access for mobile and remote users. Those units that reached end-of-support status no longer receive critical security fixes, leaving them prime targets. GTIG’s analysis reveals UNC6148 leverages stolen or leaked local admin credentials and potentially zero-day vulnerabilities to install Overstep, which evades detection by sanitizing system logs.

Key Findings

• UNC6148 has compromised SMA gateways by abusing exposed credentials or unknown software flaws.
• Overstep backdoor selectively purges authentication and system event logs, hindering forensic investigations.
• Researchers suspect the use of at least one zero-day exploit to establish an unauthorized reverse shell.
• SonicWall released emergency firmware updates on July 18, 2025, addressing three vulnerabilities under investigation.

Possible Exploited Vulnerabilities

While GTIG has not confirmed a specific CVE, the following known issues remain prime suspects:

1. CVE-2021-20038 – Unauthenticated RCE via memory corruption.
2. CVE-2024-38475 – Path traversal in embedded Apache HTTP Server; exposes SQLite credential stores.
3. CVE-2021-20035 – Authenticated remote code execution, previously exploited in April 2025.
4. CVE-2021-20039 – Authenticated RCE used for ransomware infections in 2024.
5. CVE-2025-32819 – Authenticated file deletion resets default admin passwords.

“Shell access should not be possible by design,” says GTIG. “We have not yet determined how UNC6148 established their reverse shell, suggesting at least one undisclosed zero-day exploit.”

Technical Deep Dive: Overstep Backdoor Capabilities

Overstep is a multi-component rootkit combining userland and kernel modules. Its key features include:

• Stealthy log sanitization: Hooks into syslog and custom audit daemons to erase authentication events.
• Encrypted command-and-control (C2): Uses a proprietary XOR-based stream cipher layered over TLS 1.2 for data exfiltration.
• Modular plugin loader: Supports in-memory injection of additional payloads, such as credential dumpers or lateral-movement tools.

Memory analysis reveals Overstep’s kernel component intercepts execve syscalls, granting attackers persistent root privileges even after reboots.

Mitigation and Response Best Practices

In light of these findings, GTIG and SonicWall PSIRT recommend the following immediate actions:

1. Isolate all SMA appliances and acquire disk images for offline forensic analysis.
2. Deploy the July 18, 2025 SonicWall patches addressing CVE-2024-38475, CVE-2025-32819, and related flaws.
3. Reset all administrator and service account credentials post-patch, using FIPS 140-2 compliant password generators.
4. Implement network-level EDR solutions to detect anomalous outbound TLS traffic patterns indicative of Overstep C2 channels.
5. Engage third-party incident response firms to hunt for IOCs such as custom TLS SNI headers and anomalous syslog sessions.

Expert Opinions and Industry Response

“The silent log-wiping mechanism is particularly dangerous,” says Dr. Laura Myers, CTO at SecureOps Labs. “It essentially buys the attacker unlimited dwell time. Organizations must assume compromise and rebuild affected endpoints from known-good images.”

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive mandating U.S. federal agencies to audit all remote access devices for signs of Overstep activity by August 1, 2025.

Future Outlook and Regulatory Implications

This incident underscores the critical risk posed by end-of-life network appliances. Industry experts predict tighter regulatory mandates for lifecycle management and mandatory patching windows. In response, several Fortune 500 companies have announced plans to migrate to cloud-based VPN solutions with built-in automated update pipelines.

Conclusion

The discovery of Overstep by GTIG highlights an urgent need for organizations to retire unsupported appliances, enforce robust credential hygiene, and adopt proactive threat-hunting practices. With sophisticated rootkits erasing their tracks, only rigorous forensics and real-time telemetry can stand between UNC6148 and mass data breaches.