Massive Cyber Assault Targets SonicWall Firewalls: Over 4,000 IPs Involved
In a significant escalation of cyber threats, a coordinated reconnaissance campaign has been detected targeting SonicWall firewalls globally. Between February 22 and February 25, 2026, attackers initiated 84,142 scanning sessions against SonicWall SonicOS infrastructure, originating from 4,305 unique IP addresses across 20 autonomous systems. This large-scale operation suggests an impending wave of exploitation, placing numerous organizations at substantial risk.
The Target: SonicWall’s SSL VPN
SonicWall’s SSL VPN has historically been a prime target for cybercriminals seeking initial access to corporate networks. The recent campaign primarily focused on the SonicOS REST API endpoint, which verifies the activation status of the SSL VPN on devices. Notably, 92% of the recorded sessions targeted this specific API path, indicating a systematic effort to compile a list of potential targets for future attacks.
Historical Context and Escalation
This campaign mirrors a similar operation observed in December 2025, where attackers conducted nine million scanning sessions against both Palo Alto and SonicWall VPN infrastructures from over 7,000 IP addresses. The current activity represents a continuation and escalation of these previous patterns, underscoring the persistent threat posed to network security devices.
The Expansive Attack Surface
The scale of the exposed attack surface is alarming. Over 430,000 SonicWall firewalls are accessible on the public internet, with more than 25,000 SSL VPN devices harboring unpatched critical vulnerabilities. Additionally, approximately 20,000 devices are running firmware versions no longer supported by the vendor. This widespread exposure provides ample opportunities for attackers to exploit known vulnerabilities.
Ransomware Exploitation
Since March 2023, ransomware groups have increasingly targeted SonicWall VPN access. The Akira ransomware group, for instance, has compromised at least 250 organizations through SonicWall VPNs, amassing an estimated $244 million in ransom payments. Similarly, the Fog ransomware group has executed attacks resulting in full network encryption in under four hours. These incidents highlight the critical need for robust security measures and timely patching of vulnerabilities.
Exploited Vulnerabilities
Several SonicWall vulnerabilities have been exploited in these attacks. Notably, CVE-2024-40766, an improper access control vulnerability in SonicOS management access and SSLVPN, has been actively exploited. This flaw allows unauthorized resource access and can cause firewall crashes. SonicWall has released patches to address this issue, and users are urged to update their systems promptly.
Attackers’ Concealment Tactics
A significant aspect of this campaign is the attackers’ use of commercial proxy services to obscure their origins. Approximately 32% of the total campaign volume—around 27,119 sessions—were routed through Canadian-hosted proxy infrastructure, utilizing 4,102 rotating exit IP addresses. This method allowed attackers to distribute their scanning activities, reducing the likelihood of detection and complicating attribution efforts.
Recommendations for Organizations
Given the scale and sophistication of these attacks, organizations utilizing SonicWall firewalls should take immediate action:
1. Update Firmware: Ensure all SonicWall devices are running the latest firmware versions to mitigate known vulnerabilities.
2. Restrict Access: Limit management access to trusted sources and disable WAN management access from the internet to reduce exposure.
3. Monitor Logs: Regularly review firewall logs for unusual activity, such as unexpected scanning or login attempts.
4. Implement Multi-Factor Authentication (MFA): Enhance security by requiring MFA for all remote access to network resources.
5. Conduct Regular Security Audits: Periodically assess network security configurations and practices to identify and remediate potential weaknesses.
Conclusion
The recent surge in attacks targeting SonicWall firewalls underscores the evolving threat landscape and the importance of proactive cybersecurity measures. Organizations must remain vigilant, promptly apply security patches, and implement comprehensive security strategies to safeguard their networks against these sophisticated threats.
