Back to news
Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials
@Source: techradar.com
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Tech Radar Pro
TechRadar the business technology experts
Search TechRadar
View Profile
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Recommended reading
SonicWall warns of fake VPN apps stealing user logins and putting businesses at risk - here's what we know
These two Ivanti bugs are allowing hackers to target cloud instances - so patch now
Commvault attack may put SaaS companies across the world at risk, CISA warns
Another major MOVEit flaw could be on the way - here's what we know
CISA warns hackers are actively exploiting critical CitrixBleed 2
CitrixBleed 2 exploits are now in the wild, so patch now
Ransomware hackers target a new Windows security flaw to hit businesses
Hacker using backdoor to exploit SonicWall Secure Mobile Access to steal credentials
Ellen Jennings-Trace
17 July 2025
The vulnerability is fully patched, but criminals are still finding a way
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Getty Images)
A threat actor has used a patched vulnerability in SonicWall software
The group is tracked as UNC6148
This allowed UNC6148 to potentially steal credentials and deploy ransomware
A financially motivated threat actor, tracked by Google’s Threat Intelligence Group as UNC6148, has been observed targeting patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances.
These attacks, Google determines with ‘high confidence’, are using credentials and one-time passwords (OTP) seeds that were obtained through previous instructions, which has allowed them to re-access even after organizations have updated their security.
A zero-day remote code execution vulnerability, Google says with ‘moderate confidence’, was used to deploy OVERSTEP on the targeted SonicWall SMA appliances. The threat intelligence group also “assesses with moderate confidence that UNC6148's operations, dating back to at least October 2024, may be to enable data theft and extortion operations, and possibly ransomware deployment.”
You may like
SonicWall warns of fake VPN apps stealing user logins and putting businesses at risk - here's what we know
These two Ivanti bugs are allowing hackers to target cloud instances - so patch now
Commvault attack may put SaaS companies across the world at risk, CISA warns
The previously unknown persistent backdoor/user-mode rootkit, OVERSTEP, was deployed by the actor. This malware modifies the appliance’s boot process to allow persistent access, steal sensitive credentials, and then hide its own components;
“An organization targeted by UNC6148 in May 2025 was posted to the "World Leaks" data leak site (DLS) in June 2025, and UNC6148 activity overlaps with publicly reported SonicWall exploitation from late 2023 and early 2024 that has been publicly linked to the deployment of Abyss-branded ransomware (tracked by GTIG as VSOCIETY),” Google continued.
Earlier in 2025, SonicWall firewalls were hit by a worrying cyberattack, in which a vulnerability was leveraged by threat actors to gain access to target endpoints, interfere with the VPN, and further disrupt the target further.
These attacks highlight the importance of updating software as soon as patches become available. Organizations which fail to keep on top of system updates can be left vulnerable to known-exploits. If it’s too daunting of a task, take a look at our choices for the best patch management software for a helping hand.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You might also like
Pegasus spyware is still targeting top business leaders
Take a look at the best encrypted messaging apps
Check out our choice for best malware removal software around
Ellen Jennings-Trace
Staff Writer
Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
SonicWall warns of fake VPN apps stealing user logins and putting businesses at risk - here's what we know
These two Ivanti bugs are allowing hackers to target cloud instances - so patch now
Commvault attack may put SaaS companies across the world at risk, CISA warns
Another major MOVEit flaw could be on the way - here's what we know
CISA warns hackers are actively exploiting critical CitrixBleed 2
CitrixBleed 2 exploits are now in the wild, so patch now
Latest in Security
Cisco ISE maximum severity flaw lets hackers execute root code
Over 1 million records from US adoption organization left exposed online
Europol says it disrupted a major pro-Russian DDoS crime gang
It seems even DNS records can be infected with malware now - here's why that's a major worry
Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk
Data of all 6.5 million Co-op members stolen - CEO says she is 'incredibly sorry'
Latest in News
Netflix confirms Assassin's Creed live-action TV show is in the works, and I'm praying it doesn't silently kill the popular video game series
OpenAI just announced ChatGPT Agent – live updates from the launch as it happens
Donkey Kong wears clothes in Banaza because Nintendo was 'conscious' of what the ape would look like 'from the back'
ExpressVPN now offers servers in all 50 US states – here’s why it matters
Adobe Firefly is about to make its biggest leap in AI video yet with a new model and Veo 3 integration
Ubisoft names the company CEO's son Charlie Guillemot as co-CEO of new Tencent-funded subsidiary – 'What matters now isn’t my name, it’s the work ahead'
LATEST ARTICLES
Netflix confirms Assassin's Creed live-action TV show is in the works, and I'm praying it doesn't silently kill the popular video game series
Cisco ISE maximum severity flaw lets hackers execute root code
I reviewed Seagate’s 30TB Exos Mozaic+, here’s why it’s a data hoarder’s dream
This Dell laptop deal is the perfect Ryzen 7 notebook under $500 for students and professionals - shame it suffers from one fatal flaw
OpenAI just announced ChatGPT Agent – live updates from the launch as it happens
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future's experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait...
Related News
11 Jul, 2025
Rubio and Chinese Diplomat Vie for Influ . . .
03 Apr, 2025
Georgetown must end its race obsession
01 Jun, 2025
Hundreds Arrested as Paris Erupts into C . . .
16 Mar, 2025
LRH Taylor Made Aero Burner Driver
15 Jul, 2025
M3GAN 2.0 Gets New Digital Release Date . . .
13 May, 2025
Love Island star gets tattoo tribute to . . .
05 Jun, 2025
NBA All-Star game to feature USA vs. Wor . . .
20 Jul, 2025
"Ready to go again" - Noah Lyles shares . . .