A sharp rise in internet-wide scanning activity targeting SonicWall firewall management interfaces has been detected, raising concerns about a potential pre-disclosure reconnaissance phase tied to new vulnerabilities.
Threat intelligence firm GreyNoise reported a significant surge in scanning of SonicWall SonicOS management APIs between May 9 and May 18, 2026.
The most notable spike occurred on May 12, when approximately 597,000 sessions were recorded in a single day.
This represents a roughly 46-fold increase compared to the average daily activity observed over the previous 30 days.
This marks the highest single-day volume recorded on the SonicWall SonicOS API Scanner tag over the past 90 days, indicating coordinated, large-scale reconnaissance targeting exposed firewall interfaces.
Hackers Scan SonicWall Firewalls
GreyNoise researchers highlight that a similar spike earlier this year preceded the disclosure of CVE-2026-0400, a SonicWall vulnerability disclosed on February 24, 2026.
Notably, the spikes on January 18, January 30, and February 14 occurred 37, 25, and 10 days before that disclosure, respectively.
While this correlation does not confirm a new vulnerability, it reflects a recurring pattern where threat actors increase probing activity before public disclosure or exploitation campaigns.
GreyNoise emphasizes that the current spike is a signal, not a prediction, but it may represent early-stage reconnaissance.
Analysis of the GreyNoise scanning traffic reveals consistent tooling and infrastructure:
- Tooling: Nearly 99% of requests use a Chrome 119 user-agent on Linux x86_64, matching earlier campaigns where 94.5% of traffic used the same fingerprint.
- Source infrastructure: Around 56% of traffic originates from networks in the Netherlands and 44% from Ukraine, accounting for over 99% of observed sessions.
- ASN concentration: A single autonomous system (AS211736) contributes roughly half of the total scanning volume.
- Targeted services: Ports 80 and 8080 (HTTP) are almost exclusively targeted, indicating focus on web-based management interfaces.
- Classification: The majority of source IPs are categorized as suspicious by GreyNoise.
Security teams using SonicWall devices should take immediate precautions to reduce exposure and prepare for potential exploitation attempts:
Immediate actions:
- Restrict SonicOS management API and SSL VPN access to trusted IP ranges only.
- Remove public exposure of firewall management interfaces.
- Enforce multi-factor authentication (MFA) for all SSL VPN users.
- Audit systems for unauthorized administrative accounts created after May 1, 2026.
- Deploy dynamic IP blocklists to filter known suspicious sources.
Short-term monitoring:
- Track SonicWall PSIRT advisories for any new vulnerability disclosures.
- Prepare to apply patches within 24 hours of release.
- Increase log retention and enable alerting for unusual outbound activity.
Although no new vulnerability has been confirmed, the scale and pattern of this activity suggest that defenders should treat the spike as an early warning signal.
Proactive hardening, continuous monitoring, and rapid patching readiness remain critical to mitigating potential risks associated with SonicWall infrastructure exposure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
