Urgent: 3,894 SonicWall SSL VPNs Vulnerable to OVERSTEP and MFA Bypass
Researchers at Criminal IP report 3,894 Internet-exposed SonicWall SMA SSL VPN devices still vulnerable to abuse linked to CVE-2024-40766 and the OVERSTEP kernel-level rootkit. Activity attributed to UNC6148 and the Akira ransomware group shows attackers reusing credentials and OTP seeds exfiltrated during prior compromises to bypass MFA and maintain persistence even after patching. The United States accounts for ~28.5% of the exposed footprint (1,111 instances), followed by Germany (464) and China (199), placing critical public- and industrial-sector networks at risk. Because SMA sits at the perimeter, compromise enables credential theft, lateral movement, and data exfiltration at scale. SonicWall has shipped removal firmware and guidance, but organizations must assume seeds and passwords are tainted. This is a systemic exposure problem combining device persistence (rootkit), identity replay (stolen OTPs), and lingering attack surface (unpatched devices).
CORTEX Protocol Intelligence Assessment
{"Business Impact":"High likelihood of perimeter compromise leading to enterprise-wide ransomware, data theft, and operational disruption.","Technical Context":"Kernel rootkit (OVERSTEP) on SMA 100-series abuses firmware flow for persistence; OTP seed reuse enables MFA bypass tied to CVE-2024-40766 incidents."}
Strategic Intelligence Guidance
- Reset all VPN passwords and re-seed OTP for all users; invalidate old seeds.
- Apply SonicWall OVERSTEP removal firmware and latest SMA updates immediately.
- Constrain SSL VPN exposure (IP allowlists, geo controls) and enforce device posture checks.
- Threat hunt for persistence, credential replay, and anomalous admin activity on SMA devices.
CVEs
Vendors
Threats
Targets
Impact
Financial:3,894 devices
Intelligence Source: Urgent: 3,894 SonicWall SSL VPNs Vulnerable to OVERSTEP and MFA Bypass | Oct 15, 2025