High

A sharp increase in internet-wide scanning activity targeting SonicWall firewall management interfaces has raised concerns among cybersecurity researchers about a possible pre-disclosure reconnaissance phase linked to new vulnerabilities. Researcher observed a massive surge in scanning activity aimed at SonicOS management APIs between May 9 and May 18, 2026. The most significant spike occurred on May 12, when nearly 597,000 scanning sessions were detected in a single day, representing a 46-fold increase compared to the average activity recorded over the previous month. Researchers noted that this was the highest single-day scanning volume associated with the SonicWall SonicOS API Scanner tag within the last 90 days, indicating a highly coordinated reconnaissance effort focused on exposed firewall interfaces.

Researchers also pointed out that similar scanning spikes earlier in 2026 preceded the public disclosure of CVE-2026-0400, a previously reported SonicWall vulnerability announced on February 24, 2026. Historical spikes recorded on January 18, January 30, and February 14 occurred 37, 25, and 10 days before the vulnerability disclosure, respectively. Although researchers emphasized that the current activity does not confirm the existence of a new vulnerability, the repeated pattern strongly suggests that threat actors may be conducting early-stage reconnaissance ahead of future exploitation campaigns or vulnerability disclosures. This behavior reflects a common tactic where attackers map exposed services and identify potential targets before launching attacks.

Technical analysis of the scanning activity revealed a highly consistent infrastructure and tooling pattern. Nearly 99% of requests used a Chrome 119 user-agent running on Linux x86_64 systems, closely matching fingerprints observed in earlier campaigns. Around 56% of the traffic originated from networks located in the Netherlands, while approximately 44% came from Ukraine, together accounting for more than 99% of all observed sessions. Researchers further identified that a single autonomous system, AS211736, generated nearly half of the total scanning activity. The scans primarily targeted ports 80 and 8080, indicating a focus on web-based management interfaces commonly used for SonicOS administration. GreyNoise also classified most of the source IP addresses involved in the activity as suspicious, reinforcing concerns that the scanning may be linked to malicious reconnaissance operations.

Security teams using SonicWall infrastructure have been urged to take immediate defensive actions to reduce potential exposure and prepare for possible exploitation attempts. Recommended measures include restricting SonicOS management APIs and SSL VPN access to trusted IP ranges only, removing public exposure of firewall management interfaces, and enforcing multi-factor authentication for all SSL VPN users. Organizations are also advised to audit systems for unauthorized administrative accounts created after May 1, 2026, deploy dynamic IP blocklists to filter suspicious sources, and closely monitor SonicWall PSIRT advisories for any newly disclosed vulnerabilities. Additional recommendations include increasing log retention, enabling alerts for unusual outbound activity, and preparing to apply security patches within 24 hours of release. While no new vulnerability has been officially confirmed, researchers warn that the scale and pattern of the activity should be treated as an early warning signal requiring proactive hardening and continuous monitoring.