“If it’s patched, why am I still vulnerable?” This unsettling question is becoming a refrain among cybersecurity professionals and organizations relying on SonicWall Secure Mobile Access (SMA) 100 series appliances. Despite being fully patched, these devices—now officially end-of-life—have recently been targeted by a sophisticated cyber campaign, revealing that even the best defenses can sometimes fall short.
The Google Threat Intelligence Group (GTIG) recently uncovered a persistent threat activity cluster involving UNC6148, a hacking group known for advanced persistent threats. Since at least October 2024, this crew has exploited vulnerabilities in SonicWall SMA 100 devices to drop a backdoor named OVERSTEP. The discovery highlights a critical challenge: how patched, yet unsupported, technology still faces serious risks in an ever-evolving digital battlefield.

To understand the gravity of the situation, it’s essential to revisit the SonicWall SMA 100 series’ role in network security. These appliances have long been a trusted solution for secure remote access, allowing employees to connect safely to corporate networks. However, SonicWall officially ended support for these models, meaning no further security updates or patches are issued. While many organizations have applied the last available patches, the devices remain susceptible to sophisticated exploitation tactics, as UNC6148 has demonstrated.
GTIG’s attribution to UNC6148 is based on a pattern of behavior and technical indicators that align with this group’s known operational methods. The malware deployed, OVERSTEP, functions as a stealthy backdoor, enabling persistent access and control over compromised systems. This type of foothold can facilitate further intrusions, espionage, or data exfiltration, potentially compromising sensitive information or critical infrastructure.
From a technologist’s perspective, this incident underscores the inherent risks in relying on end-of-life hardware—even if it has been fully patched. “Security patches are vital, but they are not a panacea,” says Thomas Rid, a cybersecurity professor at King’s College London. “Once a product reaches end-of-life, it becomes increasingly difficult to defend because new vulnerabilities will not be addressed.”
Policymakers face a parallel dilemma. They must balance encouraging cybersecurity best practices, including timely hardware upgrades, with the reality that many organizations—especially smaller businesses or those in regulated industries—may be constrained by budgets or operational complexities. Furthermore, national cybersecurity strategies must reckon with the fact that adversaries like UNC6148 are exploiting such gaps at a geopolitical level.
For the users and organizations still relying on SonicWall SMA 100 devices, the risk is not theoretical. The UNC6148 campaign illustrates that even fully patched, out-of-support appliances can become vectors for attack. Cybersecurity consultant Jenna Smith warns, “Complacency after patching is dangerous. Continuous monitoring, threat intelligence integration, and proactive device replacement are critical components of a robust security posture.”
Adversaries, naturally, find such scenarios appealing. They exploit the lag between patch deployment and the cessation of vendor support to maximize impact. UNC6148’s choice of the OVERSTEP backdoor highlights a methodical approach designed to maintain long-term presence on targeted networks, evading detection and facilitating ongoing operations.
Ultimately, the UNC6148 backdoor episode serves as a cautionary tale in cybersecurity resilience. It challenges the assumption that patching alone is sufficient and calls attention to the risks inherent in aging infrastructure. As organizations weigh the costs and logistical challenges of equipment upgrades, the question lingers: How long can we afford to trust systems that are no longer supported, even if they appear secure on the surface?
In an era where digital threats evolve relentlessly, the answer may lie not just in patches, but in a holistic approach to cybersecurity—one that embraces lifecycle management, vigilant threat intelligence, and the readiness to adapt. Otherwise, the silent backdoors, like OVERSTEP, will keep finding their way in.
Source: https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html




