Urgent Alert: SonicWall Firewalls Under Active Scrutiny by Threat Actors – Over Half a Million Scan Sessions Recorded

In a concerning development for network defenders, threat intelligence firm GreyNoise has detected a significant surge in internet-wide reconnaissance activity specifically targeting SonicWall firewall management interfaces. This intense scanning, observed between May 9 and May 18, 2026, raises critical questions about potential pre-disclosure reconnaissance and the looming threat of new vulnerabilities.

With an alarming 597,000 sessions observed, this sustained probing of SonicWall SonicOS management APIs indicates a concerted effort by attackers to identify vulnerable devices. This blog post delves into the implications of this widespread scanning, what it means for organizations utilizing SonicWall products, and crucial steps to bolster your defenses.

The Probing Period: Understanding Pre-Disclosure Reconnaissance

The cybersecurity landscape often operates in predictable patterns. Before a widespread exploit campaign, threat actors frequently enter a “reconnaissance phase.” During this period, they actively scan the internet to identify potential targets, gauge the prevalence of specific technologies, and sometimes even test for proof-of-concept exploits for unpatched vulnerabilities.

The current observed activity against SonicWall firewalls strongly suggests such a phase. While the exact vulnerabilities being sought are not yet confirmed, the sheer volume and targeted nature of the scanning point towards attackers either actively looking for private exploits or preparing for the public disclosure of a new vulnerability. This proactive scanning allows them to compile lists of potential targets, enabling rapid exploitation once a vulnerability becomes public, or even before.

Key Observations from GreyNoise

• Between May 9 and May 18, 2026, GreyNoise observed a dramatic increase in scanning activity directed at SonicWall SonicOS management APIs.
• A peak in this scanning occurred, coinciding with a sustained period of high activity.
• The total number of observed scanning sessions reached a staggering 597,000.
• This activity is indicative of malicious actors attempting to map out the attack surface associated with SonicWall devices.

Why SonicWall Firewalls Are a Prime Target

SonicWall firewalls are widely deployed across various sectors, from small businesses to large enterprises, due to their robust security features. However, their pervasive use also makes them an attractive target for attackers. Gaining control over a firewall provides a critical gateway into a network, allowing threat actors to:

• Bypass perimeter defenses.
• Establish persistence within the network.
• Exfiltrate sensitive data.
• Launch further attacks against internal systems.

Historically, SonicWall products have been targeted by sophisticated threat actors, as seen with past vulnerabilities such as CVE-2021-20021 and CVE-2021-20023, which involved critical authentication bypass and code injection vulnerabilities.

Remediation Actions and Immediate Protections

Given this heightened threat landscape, organizations operating SonicWall firewalls must take immediate and decisive action to protect their networks. Proactive measures are paramount to mitigating potential risks.

• Isolate Management Interfaces: Ensure that SonicWall management interfaces are not directly exposed to the public internet. Whenever possible, restrict access to management GUIs and APIs to trusted internal networks or via secure access methods like VPNs.
• Implement Multi-Factor Authentication (MFA): Enforce MFA for all administrative access to SonicWall devices. This adds a crucial layer of security, making it significantly harder for attackers to gain unauthorized access even if they compromise credentials.
• Regularly Update Firmware: Keep your SonicWall SonicOS firmware up-to-date with the latest patches. This is the single most important step to address known vulnerabilities. Monitor SonicWall’s security advisories closely for new releases.
• Monitor Logs for Anomalous Activity: Implement robust logging and monitoring for your firewall. Look for unusual login attempts, repeated failed logins, or unexpected network traffic patterns originating from or targeting the firewall’s management interface. Integrate firewall logs with a Security Information and Event Management (SIEM) system for centralized analysis.
• Review Access Control Lists (ACLs): Strictly review and tighten ACLs on your SonicWall devices. Allow only necessary traffic to reach the management interface from explicitly defined source IP addresses.
• Perform Regular Vulnerability Scans: Conduct external and internal vulnerability scans against your perimeter devices, including your SonicWall firewalls, to identify any exposed services or misconfigurations.

Threat Detection and Scanning Tools

Leveraging appropriate tools is crucial for identifying potential exposures and monitoring for suspicious activity. Here’s a quick reference:

Tool Name	Purpose	Link
Nmap	Network scanning and port enumeration	https://nmap.org/
Shodan	Internet-connected device search engine, identifying exposed services	https://www.shodan.io/
GreyNoise Intelligence	Identifies internet noise, including active scanning campaigns	https://greynoise.io/
OWASP ZAP	Web application security scanner (useful for API testing)	https://www.zaproxy.org/
SIEM Solutions (e.g., Splunk, Elastic Stack)	Centralized log management and security event monitoring	https://www.splunk.com/

Staying Vigilant: A Continuous Defense Strategy

The observed scanning activity underscores the continuous and evolving nature of cyber threats. Organizations must adopt a proactive and layered security approach, treating their firewalls as critical assets requiring constant attention and hardening. The digital perimeter is under constant assault, and only through diligent monitoring, rapid patching, and stringent access controls can organizations effectively defend against sophisticated threat actors.

Stay informed, stay patched, and secure your SonicWall devices.