Hundreds of Thousands of SonicWall Firewalls Targeted in Massive Reconnaissance Campaign
A large-scale reconnaissance campaign has been actively targeting SonicWall firewalls across the internet, with attackers employing over 4,000 unique IP addresses to identify vulnerable devices before initiating exploitation attempts. Between February 22 and February 25, 2026, threat actors conducted 84,142 scanning sessions against SonicWall SonicOS infrastructure, originating from 4,305 distinct IP addresses. The coordinated nature and magnitude of this activity suggest a significant exploitation wave may be imminent, posing a serious risk to numerous organizations.
The primary objective of this campaign was to probe the SonicOS REST API endpoint responsible for verifying the SSL VPN status on a device. This is a critical preliminary step for attackers seeking to gain unauthorized access, serving as a precursor to more aggressive credential testing. Data indicates that 92% of all scanned sessions targeted this specific API path, underscoring the systematic approach to building a comprehensive list of potential targets rather than immediate exploitation.
Researchers at GreyNoise have been closely monitoring this campaign, noting its operation across three distinct, yet coordinated, infrastructure clusters within the four-day period. This pattern bears a striking resemblance to a similar campaign observed in December 2025, which targeted both Palo Alto and SonicWall VPN infrastructure from over 7,000 IP addresses, utilizing identical client fingerprints. The February 2026 activity appears to be a direct continuation and escalation of these earlier patterns.
The scale of the attack surface exposed in this campaign is particularly concerning. Over 430,000 SonicWall firewalls are publicly accessible online. Among these, an estimated 25,000 SSL VPN devices are running unpatched critical vulnerabilities, and approximately 20,000 are utilizing firmware that is no longer supported by the vendor. This creates a significant window of opportunity for threat actors.
The prominence of SonicWall’s SSL VPN as an initial access vector for ransomware groups is well-documented. Since March 2023, the Akira ransomware group has reportedly compromised at least 250 organizations using SonicWall VPN access, generating an estimated $244 million in ransom proceeds. The Fog ransomware group has also been linked to significant intrusions, with some instances achieving full network encryption in under four hours.
Adding to the concern, five of the seven SonicWall Common Vulnerabilities and Exposures (CVEs) relevant to this attack surface are listed in CISA’s Known Exploited Vulnerabilities catalog. Four of these have documented instances of ransomware use. Furthermore, a cluster of six IP addresses originating from Amsterdam was observed scanning for vulnerabilities in both SonicWall and Cisco ASA devices, indicating a broader, multi-vendor mapping operation beyond a single product line.
How Attackers Concealed Themselves Behind a Commercial Proxy Service
A technically sophisticated aspect of this campaign involved the deliberate use of a commercial proxy service to anonymize a significant portion of the scanning activity. Approximately 32% of the total campaign volume, amounting to roughly 27,119 sessions, originated from 4,102 rotating exit IP addresses routed through Canadian-hosted proxy infrastructure. This service advertises access to over 100 million IP addresses globally, but in this instance, it served as an anonymization layer to obscure the true origin of the scanning traffic.
The deployment of the proxy service was highly strategic, designed to evade detection. Sessions were distributed such that each exit IP averaged only 6.6 requests. This low volume per IP address stayed below the thresholds that typically trigger rate-limiting or reputation-based blocking mechanisms. Consequently, traditional static blocklists proved ineffective, as the infrastructure rotated through thousands of addresses within a single scanning window. Notably, the proxy service’s management platform had been offline since December 2025, leaving its exit nodes unmonitored for abuse for three months prior to this campaign’s launch.
Fingerprint analysis revealed a consistent pattern: nearly 70% of all sessions shared a single HTTP signature. This signature involved a GET request over HTTP/1.0 combined with a Chrome 119 user agent. This specific combination is not used by legitimate Chrome browsers, making it a reliable indicator of automated scanning tools rather than legitimate user activity.
Organizations operating SonicWall devices are strongly advised to immediately apply patches for CVE-2024-53704, which carries a CVSS score of 9.8 and is listed on CISA’s Known Exploited Vulnerabilities list. Additionally, implementing multi-factor authentication for all SSL VPN users and restricting management interface access to trusted IP ranges are crucial steps. It is also recommended to reset all local user passwords, particularly those carried over from older firmware versions, and to monitor network traffic for HTTP/1.0 requests with modern browser user agents as potential indicators of scanning activity. Finally, decommissioning end-of-life SRA appliances that lack available patches for CVE-2021-20028 and CVE-2019-7481 is essential for mitigating ongoing risks.