Cyber Security NewsFirewall
2 min.Read
Hackers Actively Scan SonicWall Firewall Interfaces as 597,000 Sessions Observed
By Divya
May 25, 2026
Share
Facebook
Twitter
Pinterest
WhatsApp
A sharp surge in internet scanning activity targeting SonicWall firewall management interfaces has raised concerns among cybersecurity researchers, with GreyNoise reporting nearly 597,000 sessions in a single day.
The spike, observed on May 12, 2026, marks the highest volume recorded in the past 90 days and is approximately 46 times higher than the typical daily baseline.
According to GreyNoise telemetry, the activity occurred between May 9 and May 18, focusing on SonicWall SonicOS management APIs.
This pattern closely resembles scanning waves previously seen earlier this year, which preceded the disclosure of a critical vulnerability tracked as CVE-2026-0400. While researchers caution that this correlation is not definitive, the timing and behavior suggest the possibility of pre-disclosure reconnaissance.
Single-day session volume on the SonicWall SonicOS API Scanner tag (Source: GreyNoise)
Hackers Scan SonicWall Firewall Interfaces
Analysis of the traffic reveals a highly consistent and automated scanning approach:
Nearly 99% of requests use a single user-agent string: Chrome 119 on Linux x86_64, identical to tooling observed in earlier campaigns.
Around 56% of sessions originate from networks in the Netherlands, while 44% come from Ukraine.
A single autonomous system, AS211736, accounts for roughly half of the observed activity.
The majority of targeted traffic is directed at HTTP services over ports 80 and 8080.
Most of the source IPs involved are classified as “suspicious” by GreyNoise.
This level of uniformity indicates the likely use of centralized scanning infrastructure, possibly operated by a coordinated threat actor or group preparing for exploitation.
GreyNoise highlighted a similar sequence of scanning spikes earlier in 2026, occurring on January 18, January 30, and February 14. These events preceded the public disclosure of CVE-2026-0400 on February 24 by 37, 25, and 10 days, respectively.
Although this pattern suggests that spikes in scanning may act as early warning signals, researchers emphasize that it should not be interpreted as a guaranteed indicator of an impending vulnerability disclosure. The current spike could represent a single event, part of a broader sequence, or unrelated background activity.
Security teams using SonicWall devices are advised to take proactive steps to reduce exposure:
Restrict access to SonicOS management interfaces and SSL VPN portals to trusted IP ranges only.
Enforce multi-factor authentication (MFA) for all remote access accounts.
Review configurations for unauthorized administrative accounts created after May 1, 2026.
Deploy dynamic IP blocklists to filter suspicious traffic at the network edge.
Over the coming weeks, organizations should closely monitor SonicWall’s PSIRT advisories and be prepared to apply patches within 24 hours of any new vulnerability disclosure. Enhanced logging and outbound traffic monitoring are also recommended to detect potential compromise.
The current spike underscores how large-scale scanning activity can serve as an early signal of emerging threats, reinforcing the need for continuous monitoring and rapid response readiness.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Tags
cyber security
Cyber Security News
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
Hot this week
Infosec- Resources
How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities
June 4, 2023
1
What is Deep Web The deep web, invisible web, or...
SOC Architecture
How to Build and Run a Security Operations Center (SOC Guide) – 2023
June 3, 2023
12
Today’s Cyber security operations center (CSOC) should have everything...
Cyber Security News
Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
October 18, 2023
0
TeamViewer's popularity and remote access capabilities make it an...
Checklist
Web Server Penetration Testing Checklist – 2026
January 6, 2026
0
Web server pentesting is performed under three significant categories: identity,...
Infosec- Resources
ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities
June 4, 2023
4
ATM Penetration testing, Hackers have found different approaches to...
Topics
AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore
cyber security
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
0
The Python-based remote access trojan ModeloRAT and a newly...
Android
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
0
Android Malware Campaign Uses Fake Document Reader App with...
Cyber Security News
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
0
Grafana Labs has confirmed that a recent supply chain...
cyber security
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
0
An active phishing campaign that impersonates Microsoft Teams to...
cyber security
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
0
A concerted campaign by an initial access broker with...
CVE/vulnerability
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
0
A proof-of-concept exploit has been released for CVE-2026-45502, a...
CVE/vulnerability
Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users
0
A newly disclosed stored cross-site scripting (XSS) vulnerability in...
Cyber Security News
Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes
0
A newly released AI model, Claude Fable 5, has...
Related Articles
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
cyber security June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Android June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Cyber Security News June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
cyber security June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
cyber security June 24, 2026
Recent News
ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker
Mayura Kathir - June 24, 2026
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Mayura Kathir - June 24, 2026
Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning
Divya - June 24, 2026
Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software
Mayura Kathir - June 24, 2026
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
Mayura Kathir - June 24, 2026
PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability
Divya - June 24, 2026