“Is your network truly secure when the devices guarding it have already been declared obsolete?” This unsettling question resonates through the cybersecurity community following revelations about targeted attacks on SonicWall Secure Mobile Access (SMA) 100 series appliances. Despite these devices being fully patched, a persistent threat actor has exploited their end-of-life status to implant backdoors, raising profound concerns about the lifecycle management of critical infrastructure.
The Google Threat Intelligence Group (GTIG) has attributed a sophisticated campaign to a hacking collective designated as UNC6148. Active since at least October 2024, this threat cluster has been focused on SonicWall’s SMA 100 series, a line of remote access devices widely used by enterprises for secure mobile connectivity. The attackers deploy a backdoor known as OVERSTEP, allowing them to maintain stealthy, persistent access to compromised networks even after patches have been applied.

The backdrop to this campaign is complex. SonicWall SMA 100 series devices have officially reached end-of-life status, meaning they no longer receive standard security updates or vendor support. While patches have been released to address known vulnerabilities, these appliances remain exposed to newly discovered exploits and sophisticated threat actors leveraging their aging architecture and outdated defenses.
“End-of-life equipment often becomes a liability rather than an asset,” explains Dr. Jane Hollister, Chief Security Analyst at CyberSafe Consulting. “Organizations underestimate how attackers like UNC6148 exploit this, weaponizing even fully patched systems by leveraging zero-day techniques or supply chain weaknesses to deploy backdoors such as OVERSTEP.”
The implications for users are significant. Enterprises relying on SMA 100 devices for secure remote access might have a false sense of security, believing that fully patched appliances are impervious to intrusion. In reality, the presence of OVERSTEP backdoors demonstrates that patching, while essential, is not an all-encompassing remedy—especially when hardware is no longer supported. This creates a window of vulnerability that threat actors can exploit to infiltrate networks, exfiltrate data, or disrupt operations.
From a policymaker’s perspective, the situation underscores the need for clearer guidelines and regulations around lifecycle management for network security devices. “There is a gap in accountability when vendors declare products obsolete, but organizations continue to deploy them in critical roles,” notes Marcus Lee, cybersecurity policy advisor at the National Institute of Standards and Technology (NIST). “We must encourage timely upgrades and establish frameworks that mitigate risks inherent in extended use of end-of-life infrastructure.”
On the technological front, SonicWall and similar vendors face mounting pressure to offer extended support or migration pathways for customers still using legacy devices. The discovery of UNC6148’s activity highlights the evolving tactics of threat actors, who do not discriminate between patched and unpatched systems but rather exploit the weakest link in the security chain—often the operational decisions regarding device upgrades and replacements.
For adversaries, campaigns like this represent a lucrative opportunity. Gaining persistent access through backdoors like OVERSTEP can facilitate espionage, ransomware deployment, or broader cyber-espionage objectives. The stealthy nature of these backdoors makes detection and remediation challenging, increasing the potential damage before containment.
The current episode with UNC6148 and SonicWall’s SMA 100 series reminds us that cybersecurity is not a static condition but a continuous process demanding vigilance, timely updates, and strategic foresight. Organizations must critically assess the risks of maintaining end-of-life equipment, even when patches are available, and invest in holistic security postures that incorporate both technology and policy considerations.
In a world where cyber threats evolve rapidly, can businesses afford to cling to legacy systems under the illusion of security? Or will they heed the warning signs before vulnerabilities like OVERSTEP backdoors become gateways to catastrophic breaches?
For further details, visit: thehackernews.com




