Corporate networks across various sectors are facing targeted attacks leveraging SonicWall Secure Mobile Access (SMA) 100 series appliances, despite vendors no longer supporting these devices. Sophisticated threat actors continue to exploit existing vulnerabilities, heightening risks for organizations that rely on legacy remote access hardware. Efforts to migrate to alternative solutions have grown, but many companies remain dependent on legacy systems due to operational or financial constraints, thus maintaining exposure to active threat campaigns. Reports point to new attack patterns compared to earlier cyber incidents, illustrating a persistent security challenge for aging technology ecosystems.
In previous incidents involving SonicWall devices, attackers often focused on unpatched appliances or active zero-day vulnerabilities, leading to widespread concern within IT security communities. This recent campaign distinguishes itself by targeting fully updated systems and using previously stolen administrative credentials, moving away from solely exploiting unaddressed vulnerabilities. Earlier attacks prompted users to apply security updates and migrate to newer appliances, but current findings reveal that those steps alone might not guarantee safety as threat actors adopt new tactics. This ongoing situation highlights a growing complexity in defending endpoints against advanced persistent threats leveraging legacy hardware for initial access.
What Attack Methods Are Threat Groups Using?
The financially motivated group identified as UNC6148 accesses SonicWall SMA 100 series appliances by leveraging previously obtained administrator credentials. Google’s Threat Intelligence Group reported that these credentials may have been acquired prior to security updates, enabling unauthorized access even after the devices are patched. The attackers reportedly establish VPN sessions and sometimes deploy the OVERSTEP backdoor, facilitating further network intrusion and data theft, according to researchers involved in the investigation.
How Are Vulnerabilities and Device Lifecycles Impacting Security?
SonicWall devices, particularly the SMA 100 series, have repeatedly appeared in the Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities. Research data indicates that half of SonicWall’s recent exploited vulnerabilities are associated with this appliance line. In response, SonicWall is accelerating the end-of-support timeline for the SMA 100 and guiding customers toward more secure alternatives, such as Cloud Secure Edge and the SMA 1000 series. However, SonicWall has committed to continuing firmware support for remaining users, noting that updates may become more frequent as part of risk mitigation efforts.
“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle,”
stated Bret Fitzgerald, senior director of global communications at SonicWall.
What Is the Scope and Technical Detail of These Attacks?
Available forensic data remains limited due to the selective removal of log entries by the adversaries. Investigators suggest that vulnerabilities such as CVE-2021-20038, CVE-2024-38475, and others could have been used by UNC6148 to initially gain access, with malware deployment and ransomware operations likely as end goals. The group’s activity has overlapped with additional reports of SonicWall exploitation, including incidents involving Abyss-branded ransomware. Notably, post-compromise actions include reconnaissance, file manipulation, and the installation of malware for persistent access, as detailed in the Google Threat Intelligence Group’s findings. The actual number of compromised devices and affected organizations has not been disclosed by either Google or SonicWall.
Objective risk assessment continues to be essential for organizations facing threats from persistent adversaries targeting outdated network appliances. Even as software and firmware patching reduce the risk of exploitation, attackers’ use of previously stolen credentials illustrates the importance of broader mitigation strategies, such as migrating to modern, actively supported platforms and implementing robust credential management practices. For businesses utilizing legacy SonicWall hardware, reviewing current asset inventories and accelerating migration timelines can reduce long-term exposure. The challenges surrounding legacy network security devices reaffirm the need for proactive lifecycle planning and continuous monitoring in the ongoing fight against sophisticated cyber threats.
