Massive Surge in Scanning Activity Targets SonicWall Firewall Interfaces
A significant increase in scanning activity targeting SonicWall firewall management interfaces has been observed, raising concerns about potential pre-exploitation reconnaissance linked to undisclosed vulnerabilities.
Between May 9 and May 18, 2026, threat intelligence firm GreyNoise detected a substantial uptick in scanning of SonicWall SonicOS management APIs. The most notable spike occurred on May 12, with approximately 597,000 sessions recorded in a single day. This represents a 46-fold increase compared to the average daily activity observed over the previous 30 days, marking the highest single-day volume recorded on the SonicWall SonicOS API Scanner tag over the past 90 days.
Pattern of Pre-Disclosure Reconnaissance
GreyNoise researchers have noted that similar spikes in scanning activity have preceded the disclosure of vulnerabilities in the past. For instance, earlier this year, a surge in scanning activity was observed before the disclosure of CVE-2026-0400, a SonicWall vulnerability disclosed on February 24, 2026. Spikes on January 18, January 30, and February 14 occurred 37, 25, and 10 days before that disclosure, respectively. While this correlation does not confirm the existence of a new vulnerability, it reflects a recurring pattern where threat actors increase probing activity before public disclosure or exploitation campaigns.
Analysis of Scanning Traffic
The analysis of the GreyNoise scanning traffic reveals consistent tooling and infrastructure:
– Tooling: Nearly 99% of requests use a Chrome 119 user-agent on Linux x86_64, matching earlier campaigns where 94.5% of traffic used the same fingerprint.
– Source Infrastructure: Approximately 56% of traffic originates from networks in the Netherlands and 44% from Ukraine, accounting for over 99% of observed sessions.
– ASN Concentration: A single autonomous system (AS211736) contributes roughly half of the total scanning volume.
– Targeted Services: Ports 80 and 8080 (HTTP) are almost exclusively targeted, indicating a focus on web-based management interfaces.
– Classification: The majority of source IPs are categorized as suspicious by GreyNoise.
Immediate Actions for Security Teams
Organizations utilizing SonicWall devices should take immediate precautions to reduce exposure and prepare for potential exploitation attempts:
– Restrict Access: Limit SonicOS management API and SSL VPN access to trusted IP ranges only.
– Remove Public Exposure: Ensure that firewall management interfaces are not publicly accessible.
– Enforce Multi-Factor Authentication (MFA): Implement MFA for all SSL VPN users to enhance security.
– Audit Systems: Review systems for unauthorized administrative accounts created after May 1, 2026.
– Deploy Dynamic IP Blocklists: Utilize dynamic IP blocklists to filter known suspicious sources.
Short-Term Monitoring Recommendations
In addition to immediate actions, security teams should:
– Monitor SonicWall PSIRT Advisories: Stay updated with SonicWall Product Security Incident Response Team (PSIRT) advisories for any new vulnerability disclosures.
– Prepare for Rapid Patching: Be ready to apply patches within 24 hours of release to mitigate potential vulnerabilities.
– Increase Log Retention and Alerting: Enhance log retention and enable alerting for unusual outbound activity to detect potential breaches.
Conclusion
While no new vulnerability has been confirmed, the scale and pattern of this scanning activity suggest that defenders should treat the spike as a signal of potential reconnaissance efforts. Proactive measures and vigilant monitoring are essential to safeguard against possible exploitation attempts targeting SonicWall firewall interfaces.
