Surge in Reconnaissance Activity
A coordinated wave of internet scanning targeting SonicWall firewall management interfaces has been detected, with threat researchers observing a dramatic spike in activity between May 9 and May 18, 2026. GreyNoise threat intelligence reported that on May 12 alone, nearly 597,000 scanning sessions were recorded against SonicWall SonicOS management APIs. This volume represents a 46-fold increase over the average daily scanning seen in the prior 30 days, marking the highest single-day activity for this scanner tag in the last three months.
Patterns and Potential Implications
The scanning infrastructure shows remarkable consistency. Almost 99 percent of requests originate from systems using a Chrome 119 user-agent on Linux x86_64. Geographically, 56 percent of traffic comes from Netherlands-based networks and 44 percent from Ukraine, with a single autonomous system contributing roughly half of all scanning volume. The targets are almost exclusively ports 80 and 8080, indicating focus on web-based management interfaces.
GreyNoise researchers note that similar scanning spikes preceded the disclosure of a previous SonicWall vulnerability in February 2026. While this correlation does not confirm a new vulnerability exists, it follows a recurring pattern where threat actors intensify probing activity ahead of public disclosures or exploitation campaigns. Security teams managing SonicWall appliances should immediately restrict access to management interfaces and monitor for unusual traffic patterns.
Source: Cyber Security News
