A newly identified intrusion campaign targets SonicWall Secure Mobile Access appliances, exploiting them at the edge of enterprise networks to control mobile access. The devices involved are end-of-life and no longer receive regular stability or security updates, which has left many organizations still relying on them exposed to risk. Google’s Threat Intelligence Group has dubbed the attacking force UNC6148, a name officials use to refer to the unknown threat actor behind the operation. The newly published findings stress that organizations with SMA deployments should proactively analyze their environments to detect compromise, and they emphasize the importance of forensic disk imaging to counteract anti-forensic techniques used by the attackers. The researchers also note that in some cases it may be necessary to engage with SonicWall directly to capture disk images from physical appliances for proper analysis.
Context and significance of the SonicWall SMA target
Enterprise networks increasingly rely on edge devices to manage and secure remote and mobile access, but the ecosystem contains a subset of devices that have reached the end of their formal support lifecycle. When vendors stop providing updates, the risk profile shifts dramatically: known vulnerabilities remain unpatched, new attack vectors may go unaddressed, and attackers can exploit gaps that would otherwise be mitigated by ongoing security updates. In this context, SMA appliances—designed to facilitate secure access for mobile devices and remote users—present a particularly attractive target for sophisticated intruders seeking persistent footholds at a network’s perimeter. The combination of high value to defenders and limited ongoing protection creates an ideal environment for a stealthy operation to unfold. The UC6148 operation at SonicWall SMA devices underscores these dynamics, illustrating how aging infrastructure continues to be weaponized in active campaigns even as organizations struggle to modernize their asset bases.
The Google Threat Intelligence Group’s analysis highlights several practical implications for organizations relying on older SMA appliances. First, it demonstrates the need for rigorous asset inventory and risk assessment around devices approaching or past the end of life. Second, it calls for proactive threat hunting and forensics to identify and remediate compromises before attackers can widen their foothold within the network. Third, it stresses the potential value of working with hardware vendors or incident response teams to obtain disk images or other forensic artifacts that may be necessary to reconstruct an attacker’s path and to validate containment measures. Taken together, these points emphasize a broader strategy: aging devices must be managed with heightened security discipline, including thorough forensic readiness and a clear plan for migration or decommissioning.
GTIG’s operational guidance for organizations housing SMA appliances is explicit and actionable. They recommend that affected entities perform a comprehensive analysis to determine whether compromise has occurred, using forensic disk images to avoid interference from rootkit anti-forensic measures. The group suggests engaging with SonicWall to capture disk images from physical appliances, which can be crucial for reconstructing events and identifying indicators of compromise. This emphasis on forensics reflects a broader trend in modern incident response: when sophisticated backdoors incorporate anti-forensic capabilities, preserving a pristine, untainted data state becomes essential for accurate detection and attribution. The guidance is framed as urgent, given the stealth characteristics described in the report and the potential implications for enterprise security if such compromises remain undetected.
The investigation by GTIG, which includes members from Google’s Mandiant division, acknowledges that many critical details about the UNC6148 operation remain unknown. This opacity is, in part, due to how the Overstep backdoor behaves after initial compromise. Overstep is the name given to the custom backdoor that UNC6148 installs on compromised SMA appliances, and it is this malware that enables selective log deletion. The removal or alteration of log entries can significantly hinder investigators by erasing the trail of evidence that would normally reveal an attacker’s actions, making it markedly harder to determine how the breach occurred, what was accessed, and what subsequent steps the attacker performed. This anti-forensic capability is central to the difficulty in documenting the full scope and impact of UNC6148’s intrusions, and it raises the stakes for defenders who must rely on alternative telemetry and external sources to piece together the intrusion timeline.
In the Wednesday report, GTIG also speculated that UNC6148 could be operating with a zero-day vulnerability—an exploit for a vulnerability that is not publicly known at the time of discovery. A zero-day capability would substantially complicate the defense landscape because it would mean that existing signatures and patches would not be adequate to detect or prevent the initial compromise. The report reflects a cautious stance: while there is speculation about zero-days, the researchers cautioned that there is no definitive confirmation of a zero-day exploitation in the observed activity. Nevertheless, the possibility of a zero-day is taken seriously because it would explain why credentials, rather than a known vulnerability, might have opened the door to access in some instances.
Within the discussion of possible vulnerabilities that UNC6148 could be exploiting, the GTIG report offered several candidates that align with the observed capabilities and the context of SMA appliances. Notably, CVEs listed include issues across code execution, path traversal, and post-authentication attack vectors. The report enumerates several vulnerabilities that could, in theory, facilitate an attacker’s progression from initial access to full control of a device, enabling the deployment of Overstep and subsequent manipulation of logged data. While GTIG underscores that these CVEs are not definitively proven in this particular campaign, they represent plausible conduits for compromise given the types of flaws commonly found in network appliances and the historical exploitation trends observed in the wild.
The broader takeaway from this section is that UNC6148’s operation is complex and multi-faceted, with multiple potential pathways to compromise. The precise chain of events—how credentials were obtained, which specific vulnerabilities were exploited, and what actions the attackers took after gaining control—remains partially opaque. The absence of full transparency is a direct consequence of the attackers’ anti-forensic techniques and the design of the Overstep backdoor, which can obscure essential forensic breadcrumbs. Nonetheless, the GTIG report provides a structured framework for defenders to begin their investigations, focusing on credential integrity, configuration integrity, and traces of any log deletions or suspicious modifications that could indicate the use of a backdoor like Overstep.
The Overstep backdoor, anti-forensics, and the reverse shell
The Overstep backdoor is central to UNC6148’s operational model, acting as the instrument that establishes persistence and enables attackers to command and control a compromised SMA appliance. One of the most significant capabilities attributed to Overstep is its anti-forensic function: the ability to selectively remove log entries. By erasing or hiding indicators of compromise, the malware substantially impedes traditional forensic investigations, which typically rely on a complete, unaltered record of system events. This capability makes it more challenging for defenders to reconstruct the intrusion, identify the extent of data access, and determine the attacker’s ultimate objectives. The presence of such anti-forensic techniques is a hallmark of a highly capable threat actor and signals a heightened need for meticulous defensive measures, including off-device logging, secure replication of logs, and robust integrity controls that can withstand tampering attempts.
In addition to anti-forensic log manipulation, GTIG’s Wednesday report notes that Overstep enables a reverse shell with a web interface for executing commands and continuing the deployment of the backdoor’s capabilities on the target device. A reverse shell provides an attacker with an interactive, remote command-line session from the compromised appliance back to the attacker’s infrastructure, effectively turning the device into a foothold for further exploration or exploitation. The existence of a web-based command interface adds a layer of convenience and immediacy for attackers, improving their ability to issue commands and manage the compromised appliance without needing direct physical access. The combination of a reverse shell and a web-facing command interface can significantly accelerate an attacker’s ability to pivot within a network and to deploy additional payloads, such as Overstep modules or other tools that facilitate data exfiltration or lateral movement.
Crucially, the report underscores that shell access on these appliances should not be possible by design. Mandiant’s joint investigation with SonicWall’s Product Security Incident Response Team (PSIRT) did not identify a definitive method by which UNC6148 established this reverse shell. The researchers acknowledge that it is plausible the reverse shell was created through exploitation of an unknown vulnerability, which would amount to a zero-day. This uncertainty highlights the evolving nature of the UNC6148 campaign and emphasizes the need for continued monitoring and research to identify any undisclosed exploitation paths. The fact that shell access was achieved suggests either hidden credentials, a previously undocumented weakness, or a chain of compromised steps that allowed attackers to bypass default security constraints and gain elevated, persistent access to the SMA appliance. In any scenario, the existence of such a capability underscores the importance of defensive measures that can detect unusual remote access patterns, enforce strict authentication, and minimize exposure of management interfaces to potential adversaries.
Finally, the GTIG report reflects that the attackers’ ultimate motivations and the actions they take after Overstep is installed remain to be fully uncovered. The lack of clarity regarding goals complicates the effort to determine whether the campaign is primarily focused on data exfiltration, credential harvesting, deliberate disruption, or the establishment of a durable presence for later use. The uncertainty surrounding attacker objectives also makes it harder for defenders to tailor their response priorities, since the risk profile depends on whether an intrusion is aimed at persistent access, destructive activity, or opportunistic opportunism within a compromised network. But one aspect remains clear: the combination of Overstep’s anti-forensic capabilities, the presence of a reverse shell with a web interface, and the targeting of end-of-life SMA appliances collectively signals a high-stakes intrusion scenario that warrants immediate attention, thorough investigation, and proactive remediation.
Vulnerability paths and the potential zero-day question
A core element of GTIG’s analysis revolves around how UNC6148 could have advanced from initial access to full control of a SonicWall SMA appliance, particularly given the presence of log erasure capabilities and a reverse shell. The researchers propose several plausible avenues, acknowledging that the exact mechanism may involve multiple factors or a yet-undisclosed vulnerability. In one scenario, CVE-2024-38475—a path traversal vulnerability in the Apache HTTP Server that ships with SMA 100 devices—could be exploited to extract two separate SQLite databases. Those databases store user account credentials, session tokens, and seed values used to generate one-time passwords, and access to these data stores would give attackers substantial leverage for persistence and impersonation. The ability to retrieve credentials and tokens through a path traversal exploit would significantly simplify subsequent steps such as privilege escalation and maintaining access. This particular CVE, if exploited in the observed environment, would be highly valuable to UNC6148, providing a route to legitimate credentials that could be leveraged to facilitate lateral movement and deeper compromise.
Another distinctive vulnerability discussed in the report is CVE-2021-20038, a memory corruption-based flaw that enables unauthenticated remote code execution. An attacker could exploit this weakness without needing valid credentials to execute arbitrary code on the device, potentially installing Overstep and establishing persistence in a relatively straightforward manner. The convenience and severity of an unauthenticated remote code execution vulnerability make it extremely attractive to threat actors, especially when combined with a backdoor mechanism that can reset or tamper with log files to obscure traces of activity. If an attacker can exploit a vulnerability of this nature, the path to compromise becomes shorter and more direct, increasing the likelihood of a successful intrusion and reducing the chance that defenders will detect the attacker before actions are completed.
CVE-2021-20035 and CVE-2021-20039, both authenticated remote code execution vulnerabilities, are noted by security researchers as prior examples of exploits observed in real-world campaigns. In particular, Arctic Wolf and SonicWall reported that CVE-2021-20035 was under active exploitation in April, which suggests that attackers could leverage existing, known exploit chains to gain privileged access after initial login. The presence of authenticated remote code execution vulnerabilities in the attack surface raises the stakes for defenders: if an attacker already has valid credentials, RCE could be performed with fewer obstacles, accelerating the trajectory toward full control of the appliance. Reports of CVE-2021-20039 being exploited to install ransomware in 2024 further illustrate the risk posed by authenticated exploits, even if the broader campaign details differ from older incidents. The overlap in exploitation activity across multiple CVEs underscores the persistent risk associated with vulnerabilities in network appliances and the potential value of a diverse arsenal of attack methods for UNC6148.
CVE-2025-32819 stands out as a different class of vulnerability: an authenticated file deletion flaw that could be exploited to revert built-in administrator credentials to a known password. If an attacker can trigger this vulnerability, they could regain administrator access even after credential changes or resets, providing a reliable method to recover primary control over the device. Such a vulnerability highlights how attacker capabilities can extend beyond initial compromise and exfiltration to direct manipulation of administrator privileges, making the threat model more perilous for defenders who rely on standard password rotation or device hardening measures. The combination of a vulnerability that allows credential reassignment with a backdoor that can delete logs and establish a reverse shell creates a feedback loop in which attackers establish and maintain long-term control, while simultaneously erasing traces that could help defenders understand the intrusion.
Beyond these specific CVEs, GTIG emphasizes that UNC6148 could exploit multiple divergent paths for compromise, including leveraging credentials obtained through infostealer logs or credential marketplaces. The researchers acknowledge that their investigation did not uncover direct evidence of credential exposure tied to the abused SMA appliances, but they do not discount the possibility that attackers obtained credentials through compromised sources outside the device itself. The potential involvement of credential theft mechanisms raises concerns about supply-chain and credential hygiene, highlighting the need for organizations to monitor for credential reuse across services, enforce least-privilege access, and implement robust credential theft detection where feasible. The possibility of multiple exploitation routes—some known, some potentially undisclosed—illustrates the complexity of UNC6148’s techniques and points to the necessity of comprehensive monitoring across the environment rather than focusing solely on a single vulnerability narrative.
The GTIG team also notes that the specific method by which UNC6148 installed a reverse shell remains unknown. The lack of clarity about how shell access was established reinforces the possibility that an undisclosed vulnerability or a combination of credential misuse and misconfiguration played a role. The joint investigation by Mandiant and SonicWall PSIRT did not confirm a known exploitation path, leaving open the hypothesis that some vulnerability remains concealed or that attackers used a novel approach to bypass protections. The reverse shell’s web interface raises additional concerns because it could enable attackers to manage compromised devices more efficiently and to deploy further tools. The uncertainties surrounding these elements emphasize the need for ongoing forensic work, threat intelligence collaboration, and rapid sharing of indicators of compromise to help other organizations detect and mitigate similar intrusions.
In sum, while the precise chain of exploitation remains to be fully delineated, the vulnerability landscape described by GTIG presents a plausible constellation of attack vectors that UNC6148 could have exploited to achieve initial access, escalate privileges, deploy Overstep, and erase forensic breadcrumbs. The potential involvement of CVEs spanning unauthenticated and authenticated remote code execution, path traversal, memory corruption, and post-authorization privilege manipulation creates a diverse and high-stakes risk surface for SonicWall SMA appliances, especially those that are no longer actively supported. Defenders must interpret these possibilities as a spectrum of risk rather than a single, linear sequence of events and should incorporate a multi-faceted defensive approach that includes vulnerability management, credential hygiene, robust logging, and rapid incident response.
Forensic indicators, detections, and incident-response considerations
The report from GTIG provides technical indicators and guidance to help organizations identify potential compromises involving UNC6148 and the Overstep backdoor. Although the precise indicators of compromise (IoCs) may evolve as the threat landscape shifts, several themes emerge that organizations can use to guide their detections and responses. A key early sign is anomalous activity surrounding SMA appliances, particularly those that are past their end-of-life support window. These devices may show unusual or unexpected configurations, unexpected remote access sessions, or spikes in anomalous memory or CPU usage related to backdoor activity. Because Overstep is designed to erase log entries, defenders must look beyond local device logs for corroborating evidence. Net flow logs, authentication logs from connected identity providers, and syslog streams forwarded to centralized security monitoring platforms can be critical sources of truth when local logs have been tampered with or erased.
Another central IoC is the presence of a reverse shell that provides an interface for issuing commands from a remote origin. While the reverse shell itself is a powerful red flag, the challenge lies in distinguishing legitimate remote management activities from malicious ones. Security teams should consider implementing strict access controls on management interfaces, enabling two-factor authentication, and enforcing network segmentation that restricts management plane access to a constrained set of administrative hosts. If a reverse shell is detected, investigators should map its activity to identify the scope of the compromise, including what devices are affected, what commands were issued, and whether Overstep was dropped or additional payloads were installed. The reverse shell’s web interface is particularly concerning because it can enable attackers to operate in a browser-based environment, potentially exposing additional attack vectors or misconfigurations that can be exploited to widen the intrusion.
Given the anti-forensic capabilities described, it is essential to adopt cross-device and cross-user telemetry to establish a complete forensic picture. GTIG advises that organizations obtain disk images of the compromised devices to capture a pristine snapshot of the system state before anti-forensic tools can alter it further. Disk imaging is a crucial step to preserve the integrity of forensic evidence and to enable detailed analysis that can reveal hidden artifacts or modified artifacts that standard log review would miss. For organizations that cannot perform direct disk imaging, an alternative approach may include capturing memory artifacts, volatile data, and forensic artifacts from connected network appliances or backup systems that might retain earlier states of the device. In addition to disk imaging, practitioners should collect and preserve any available snapshots of the SMA environment, including configurations, user accounts, and access control lists, to support a thorough incident reconstruction.
The GTIG guidance also highlights the importance of engaging with the device manufacturer to capture disk images from physical appliances. Vendor collaboration is critical, particularly in cases where the subject devices are no longer officially supported and where the vendor may provide specialized forensic tooling, firmware analyses, or recommended containment procedures that can accelerate the investigation. Incident responders should establish a defined process for coordinating with SonicWall PSIRT and any other relevant teams to ensure that forensic data collection aligns with best practices and preserves the evidence needed for potential legal, regulatory, or policy considerations.
Organizations should also consider the broader implications for asset management and security operations. The targeting of end-of-life equipment underscores the need for a formal lifecycle management program that prevents unsanctioned exposure of aging devices. Security teams may benefit from instituting a policy that addresses the migration of critical network devices away from unsupported platforms within a defined timeframe, along with a risk-based approach to balancing operational needs with security posture. In practice, this can include staged decommissioning, implementing compensating controls for legacy devices, and accelerating replacement projects to reduce exposure windows. The GTIG report’s emphasis on forensics and disk imaging is a reminder that, even in situations where immediate remediation is challenging, organizations can preserve the ability to learn from incidents and strengthen defenses for future operations.
For defenders, a practical incident response playbook in the wake of UNC6148-like activity should include a targeted triage workflow that prioritizes end-of-life devices, a rapid forensic imaging protocol, and cross-team coordination among security operations, IT, and vendor representatives. Teams should also consider developing a library of IoCs derived from observed activity, including signatures of the Overstep loader, reverse shell indicators, suspicious account activity, and traces of log tampering. The playbook should incorporate containment steps to isolate compromised SMA appliances, monitor for lateral movement attempts, and implement rapid remediation measures, including reimaging affected devices, upgrading to supported hardware, and validating that no residual access remains after remediation. Finally, organizations should conduct post-incident reviews to derive actionable lessons learned and to refine threat-hunting hypotheses for UNC6148-like campaigns in the future.
Implications for enterprise security, risk management, and asset lifecycle
The UNC6148 operation targeting SonicWall SMA appliances is a stark reminder of the risk posed by aging network devices in enterprise environments. When devices no longer receive patches or security updates, the attack surface remains vulnerable to a range of known flaws and to previously undisclosed vulnerabilities that can be exploited by capable threat actors. This reality has significant implications for how organizations approach risk management, procurement, and ongoing security operations. It underscores the importance of implementing a comprehensive asset lifecycle program that includes not only procurement and deployment but also retirement and replacement planning for critical network devices. In practice, this means mapping devices to an approved lifecycle policy, setting alerting thresholds for end-of-life timelines, and prioritizing upgrades that align with current security best practices and compliance requirements.
From a security operations perspective, the UNC6148 case emphasizes the need for robust monitoring and detection strategies that extend beyond the devices themselves. Security teams should implement a layered approach to defense that includes defense-in-depth controls, network segmentation, strict access controls, continuous monitoring of privileged actions, and proactive threat intelligence integration. The anti-forensic capabilities described in the Overstep backdoor illustrate how attackers can exploit gaps in visibility when local logs are compromised. Organizations can improve resilience by augmenting internal telemetry with external visibility—such as network flow data, security information and event management (SIEM) correlation across endpoints, and threat intelligence feeds—to build a more complete picture of activity within the environment, even if one data source is compromised.
The case also highlights the importance of vendor collaboration and incident response readiness. When devices reach end-of-life status, security teams should maintain lines of communication with the vendor for guidance, firmware recommendations, and, where possible, access to forensic tooling or support. However, given that these devices are no longer actively supported, organizations must be prepared to make difficult decisions about decommissioning, migration to newer hardware, and reconfiguration of security architectures. The strategic takeaway is clear: relying on legacy appliances without a clear modernization plan creates structural risk that sophisticated attackers can exploit, especially when those devices form the edge of enterprise networks where access control and security enforcement are most critical.
Moreover, this campaign highlights the importance of governance and policy in risk management. Enterprises should consider formalizing policies around vendor support lifecycles, patch management for network appliances, and the prioritization framework for replacing end-of-life devices. A rigorous governance program can help ensure that security considerations are embedded into procurement decisions, that security teams have the authority to decommission or replace risky assets, and that appropriate funding is allocated to maintain a resilient network infrastructure. The UNC6148 case adds to the growing body of evidence that aging devices can become anchor points for sophisticated intrusions and that proactive lifecycle governance is an essential component of modern cybersecurity strategy.
In addition to governance and lifecycle considerations, organizations should strengthen credential hygiene and access controls to reduce the likelihood that compromised local administrator credentials serve as an initial access vector. The report notes that the attacks are exploiting leaked local administrator credentials, and although the provenance of those credentials is not fully understood, the risk is clear: if credentials fall into the wrong hands, attacker access becomes easier, and the path to robust compromise becomes shorter. Enforcing strong credential policies, reducing reliance on local accounts, implementing centralized authentication with multi-factor authentication where possible, and monitoring credential exposure across the organization are critical steps toward reducing the potential for similar intrusions in the future. The UNC6148 scenario makes it evident that protecting credentials is a foundational defense, especially when devices that control access to the network are themselves vulnerable or obsolete.
If organizations can translate the GTIG findings into practical, ongoing security improvements, the overall risk posture of enterprises relying on aging SMA appliances can be materially improved. The connection between end-of-life hardware and participation in sophisticated, persistent campaigns is a reminder that the cybersecurity landscape requires continuous adaptation. Upgrading or replacing vulnerable devices, implementing robust incident response procedures, and aligning security investments with the evolving threat environment are essential elements of a resilient security strategy. The UNC6148 report, while still leaving some questions unanswered, provides a comprehensive framework for recognizing risk patterns, implementing forensic readiness, and launching targeted remediation efforts that can reduce the window of opportunity for attacker success.
Broader lessons for readers and stakeholders
Beyond the technical specifics, the UNC6148 investigation offers broader lessons for security teams, executives, and IT stakeholders. First, it reinforces the critical importance of asset visibility. Knowing precisely which devices exist in the network, their support status, and their exposure to external threats is foundational to any effective security program. Second, it emphasizes the value of forensic readiness. The ability to capture disk images and to perform thorough investigations in the face of anti-forensic techniques is a decisive differentiator in modern incident response. Third, the analysis highlights the need for a defense-in-depth approach that includes not only patch management but also monitoring, credential hygiene, and robust access controls.
Another takeaway concerns vendor engagement and incident collaboration. The UNC6148 case illustrates the potential benefits of coordinated responses that bring together security teams, product security incident response teams, and vendors to gather evidence and exchange insights that can inform remediation. Even when devices are out of support, partner cooperation can help organizations to mitigate risk, identify indicators of compromise, and develop effective containment strategies. The insights from GTIG’s research suggest that organizations should cultivate strong relationships with their security partners and be prepared to act swiftly when credible threats are identified.
Finally, the report underscores the importance of risk-based decision-making in security operations. Enterprises must balance the operational needs of legacy devices against the escalating threats they face, and make informed choices about modernization, risk reduction, and the allocation of resources. In many cases, replacing end-of-life hardware with supported devices is not only prudent but essential for sustaining an effective security posture. The UNC6148 campaign provides a clear rationale for accelerating modernization efforts and for embedding risk-aware decision-making into strategic IT and security planning.
Conclusion
The UNC6148 operation, as detailed by the Google Threat Intelligence Group, reveals a sophisticated use of a custom backdoor (Overstep) to breach SonicWall SMA appliances, highlighting the enduring vulnerability of end-of-life network devices in modern enterprise security. The attackers’ ability to delete log entries, establish a reverse shell, and potentially leverage zero-day or other undisclosed vulnerabilities underscores the evolving threat landscape and the importance of proactive forensic readiness, rigorous credential hygiene, and a strong asset lifecycle program. The findings emphasize that organizations relying on aging SMA appliances must conduct thorough risk assessments, undertake forensic analysis with disk imaging, and coordinate with vendors to guide remediation. While many details remain unknown—such as the precise initial access vector, the full post-compromise activities, and the ultimate goals of UNC6148—the report provides a robust framework for defense: analyze for compromise, preserve evidence through disk imaging, strengthen access controls, and plan for rapid modernization. The broader takeaway is clear: in a security environment where attackers leverage anti-forensic techniques and exploit aging devices, only a forward-looking, multi-layered, and well-coordinated response can effectively reduce exposure and protect enterprise networks against similar campaigns in the future.
