Massive Surge in Scanning of SonicWall Firewall Interfaces Raises Pre-Disclosure Reconnaissance Concerns
GreyNoise detected 597,000 scanning sessions targeting SonicWall SonicOS management APIs on May 12, 2026—a 46-fold increase—mirroring patterns seen before the disclosure of CVE-2026-0400.
A sharp rise in internet-wide scanning activity targeting SonicWall firewall management interfaces has been detected, raising concerns about a potential pre-disclosure reconnaissance phase tied to new vulnerabilities. Threat intelligence firm GreyNoise reported a significant surge in scanning of SonicWall SonicOS management APIs between May 9 and May 18, 2026. The most notable spike occurred on May 12, when approximately 597,000 sessions were recorded in a single day. This represents a roughly 46-fold increase compared to the average daily activity observed over the previous 30 days, marking the highest single-day volume recorded on the SonicWall SonicOS API Scanner tag over the past 90 days.
GreyNoise researchers highlight that a similar spike earlier this year preceded the disclosure of CVE-2026-0400, a SonicWall vulnerability disclosed on February 24, 2026. Notably, the spikes on January 18, January 30, and February 14 occurred 37, 25, and 10 days before that disclosure, respectively. While this correlation does not confirm a new vulnerability, it reflects a recurring pattern where threat actors increase probing activity before public disclosure or exploitation campaigns.
Analysis of the GreyNoise scanning traffic reveals consistent tooling and infrastructure. Nearly 99% of requests use a Chrome 119 user-agent on Linux x86_64, matching earlier campaigns where 94.5% of traffic used the same fingerprint. Around 56% of traffic originates from networks in the Netherlands and 44% from Ukraine, accounting for over 99% of observed sessions. A single autonomous system (AS211736) contributes roughly half of the total scanning volume. Ports 80 and 8080 (HTTP) are almost exclusively targeted, indicating focus on web-based management interfaces. The majority of source IPs are categorized as suspicious by GreyNoise.
The scale and pattern of this activity suggest that defenders should treat the spike as an early warning signal. Although no new vulnerability has been confirmed, the correlation with previous pre-disclosure scanning patterns indicates that threat actors may be conducting reconnaissance for a future exploit. Security teams using SonicWall devices should take immediate precautions to reduce exposure and prepare for potential exploitation attempts.
GreyNoise advises restricting SonicOS management API and SSL VPN access to trusted IP ranges only, removing public exposure of firewall management interfaces, and enforcing multi-factor authentication (MFA) for all SSL VPN users. Organizations should also audit systems for unauthorized administrative accounts created after May 1, 2026, and deploy dynamic IP blocklists to filter known suspicious sources. For short-term monitoring, teams should track SonicWall PSIRT advisories for any new vulnerability disclosures and prepare to apply patches within 24 hours of release. Increasing log retention and enabling alerting for unusual outbound activity is also recommended.
This incident underscores the importance of proactive hardening and continuous monitoring for organizations relying on SonicWall infrastructure. The pattern of scanning spikes preceding vulnerability disclosures highlights the need for rapid patching readiness and vigilance against reconnaissance activities that may signal impending attacks.