Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
https://www.theregister.com/2025/07/16/sonicwall_vpn_hijack/
https://www.securityweek.com/sonicwall-sma-appliances-targeted-with-new-overstep-malware/
https://www.databreachtoday.com/hackers-use-backdoor-to-steal-data-from-sonicwall-appliance-a-28979
https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack
https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148
https://thehackernews.com/2025/07/unc6148-backdoors-fully-patched.html