Hackers Attacking SonicWall Firewalls from 4,000+ unique IP Addresses to Exploit Vulnerabilities

A large-scale reconnaissance campaign is actively targeting SonicWall firewalls across the internet, with attackers using more than 4,000 unique IP addresses to map vulnerable devices before launching exploitation attempts.

Between February 22 and February 25, 2026, threat actors generated 84,142 scanning sessions against SonicWall SonicOS infrastructure, originating from 4,305 distinct IP addresses across 20 autonomous systems.

The scale and coordination of this activity signal that a major exploitation wave could be imminent, placing thousands of organizations at serious risk.​

SonicWall’s SSL VPN has long been one of the most targeted initial access vectors for ransomware groups.

The campaign’s primary focus was the SonicOS REST API endpoint that checks whether SSL VPN is active on a device — a prerequisite step attackers take before directing more aggressive credential tests at confirmed targets.

Ninety-two percent of all recorded sessions hit this single API path, confirming the goal was systematic construction of a target list rather than immediate exploitation.​

GreyNoise researchers identified and closely tracked this campaign, noting that it operated through three operationally distinct infrastructure clusters working in a coordinated fashion across the four-day window.

The activity closely mirrors a campaign GreyNoise documented in December 2025, when attackers ran nine million scanning sessions against both Palo Alto and SonicWall VPN infrastructure from more than 7,000 IP addresses, sharing identical client fingerprints across both vendors.

The February 2026 campaign represents a clear continuation and escalation of that earlier pattern.​

What makes this campaign particularly alarming is the scale of the exposed attack surface.

More than 430,000 SonicWall firewalls are accessible on the public internet, with over 25,000 SSL VPN devices carrying unpatched critical vulnerabilities and roughly 20,000 running firmware no longer supported by the vendor.

Since March 2023, the Akira ransomware group has compromised at least 250 organizations through SonicWall VPN access, generating an estimated $244 million in ransom proceeds.

Fog ransomware accounts for another significant share, with some documented intrusions achieving full network encryption in under four hours.​

Five of the seven SonicWall CVEs relevant to this attack surface appear in CISA’s Known Exploited Vulnerabilities catalog, with four carrying documented ransomware use.

A cluster of six IPs based in Amsterdam simultaneously scanned for both SonicWall and Cisco ASA devices, pointing to a broader multi-vendor mapping operation that extends beyond a single product line.​

How Attackers Concealed Themselves Behind a Commercial Proxy Service

One of the most technically significant aspects of this campaign was the deliberate use of a commercial proxy service to handle a major portion of the scanning.

Roughly 32% of total campaign volume — approximately 27,119 sessions — came from 4,102 rotating exit IP addresses routed through Canadian-hosted proxy infrastructure.

This service markets itself as providing access to over 100 million IP addresses across 150 countries, but in this operation it functioned as an anonymization layer to conceal the real source of the scanning traffic.​

The proxy usage was surgical by design. Sessions were spread so that each exit IP averaged just 6.6 requests, staying below the thresholds that trigger rate-limiting or reputation-based blocking.

This renders traditional static blocklists nearly useless, since the infrastructure rotates through thousands of addresses within a single scan window.

The proxy service’s management platform had been offline since December 2025, leaving its exit nodes running without abuse monitoring for three months before this campaign began.​

Fingerprint analysis showed that nearly 70% of all sessions shared one HTTP signature — a GET request over HTTP/1.0 paired with a Chrome 119 user agent — a combination that legitimate Chrome browsers never use, making it a reliable marker of automated scanning tools.​

Organizations running SonicWall devices should immediately patch CVE-2024-53704 (CVSS 9.8, CISA KEV), enforce multi-factor authentication on all SSL VPN users, restrict management interface access to trusted IP ranges.

Besides this, also reset all local user passwords especially those carried over from older firmware versions, monitor for HTTP/1.0 requests with modern browser user agents as indicators of scanning activity, and decommission end-of-life SRA appliances with no available patches for CVE-2021-20028 and CVE-2019-7481.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.