CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

Hackers Actively Scan SonicWall Firewall Interfaces as 597,000 Sessions Observed - gbhackers.com

gbhackers.com Archived Jun 24, 2026 ✓ Full text saved

Hackers Actively Scan SonicWall Firewall Interfaces as 597,000 Sessions Observed gbhackers.com

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cyber Security NewsFirewall 2 min.Read Hackers Actively Scan SonicWall Firewall Interfaces as 597,000 Sessions Observed By Divya May 25, 2026 Share Facebook Twitter Pinterest WhatsApp A sharp surge in internet scanning activity targeting SonicWall firewall management interfaces has raised concerns among cybersecurity researchers, with GreyNoise reporting nearly 597,000 sessions in a single day. The spike, observed on May 12, 2026, marks the highest volume recorded in the past 90 days and is approximately 46 times higher than the typical daily baseline. According to GreyNoise telemetry, the activity occurred between May 9 and May 18, focusing on SonicWall SonicOS management APIs. This pattern closely resembles scanning waves previously seen earlier this year, which preceded the disclosure of a critical vulnerability tracked as CVE-2026-0400. While researchers caution that this correlation is not definitive, the timing and behavior suggest the possibility of pre-disclosure reconnaissance. Single-day session volume on the SonicWall SonicOS API Scanner tag (Source: GreyNoise) Hackers Scan SonicWall Firewall Interfaces Analysis of the traffic reveals a highly consistent and automated scanning approach: Nearly 99% of requests use a single user-agent string: Chrome 119 on Linux x86_64, identical to tooling observed in earlier campaigns. Around 56% of sessions originate from networks in the Netherlands, while 44% come from Ukraine. A single autonomous system, AS211736, accounts for roughly half of the observed activity. The majority of targeted traffic is directed at HTTP services over ports 80 and 8080. Most of the source IPs involved are classified as “suspicious” by GreyNoise. This level of uniformity indicates the likely use of centralized scanning infrastructure, possibly operated by a coordinated threat actor or group preparing for exploitation. GreyNoise highlighted a similar sequence of scanning spikes earlier in 2026, occurring on January 18, January 30, and February 14. These events preceded the public disclosure of CVE-2026-0400 on February 24 by 37, 25, and 10 days, respectively. Although this pattern suggests that spikes in scanning may act as early warning signals, researchers emphasize that it should not be interpreted as a guaranteed indicator of an impending vulnerability disclosure. The current spike could represent a single event, part of a broader sequence, or unrelated background activity. Security teams using SonicWall devices are advised to take proactive steps to reduce exposure: Restrict access to SonicOS management interfaces and SSL VPN portals to trusted IP ranges only. Enforce multi-factor authentication (MFA) for all remote access accounts. Review configurations for unauthorized administrative accounts created after May 1, 2026. Deploy dynamic IP blocklists to filter suspicious traffic at the network edge. Over the coming weeks, organizations should closely monitor SonicWall’s PSIRT advisories and be prepared to apply patches within 24 hours of any new vulnerability disclosure. Enhanced logging and outbound traffic monitoring are also recommended to detect potential compromise. The current spike underscores how large-scale scanning activity can serve as an early signal of emerging threats, reinforcing the need for continuous monitoring and rapid response readiness. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Infosec- Resources ATM Penetration Testing – Advanced Testing Methods to Find The Vulnerabilities June 4, 2023 4 ATM Penetration testing, Hackers have found different approaches to... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramIntelMore cyber security ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker 0 The Python-based remote access trojan ModeloRAT and a newly... Android Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads 0 Android Malware Campaign Uses Fake Document Reader App with... Cyber Security News Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning 0 Grafana Labs has confirmed that a recent supply chain... cyber security Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software 0 An active phishing campaign that impersonates Microsoft Teams to... cyber security Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension 0 A concerted campaign by an initial access broker with... CVE/vulnerability PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability 0 A proof-of-concept exploit has been released for CVE-2026-45502, a... CVE/vulnerability Webmin Stored XSS Vulnerability Lets Attackers Exploit Root Users 0 A newly disclosed stored cross-site scripting (XSS) vulnerability in... Cyber Security News Fable 5 AI Model Builds Bootable Windows Kernel in Rust in Just 38 Minutes 0 A newly released AI model, Claude Fable 5, has... Related Articles ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker cyber security June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Android June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Cyber Security News June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software cyber security June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension cyber security June 24, 2026 Recent News ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker Mayura Kathir - June 24, 2026 Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads Mayura Kathir - June 24, 2026 Grafana Confirms TanStack npm Supply Chain Attack Led to GitHub Repository Cloning Divya - June 24, 2026 Hackers Use Microsoft Teams-Themed Lures to Deploy Legitimate Remote Access Software Mayura Kathir - June 24, 2026 Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension Mayura Kathir - June 24, 2026 PoC Released for Microsoft Exchange Server EWS InstallApp SSRF Vulnerability Divya - June 24, 2026
    💬 Team Notes
    Article Info
    Source
    gbhackers.com
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗