Sonicwall Scans Put Firewalls On Alert Arabian Post

(MENAFN- The Arabian Post) clearfix">Cybersecurity teams are reviewing exposed SonicWall firewall interfaces after a sharp burst of internet scanning activity hit SonicOS management endpoints, with almost 597,000 sessions observed on 12 May, the highest single-day total for the tracked activity over a 90-day period.

The surge, recorded between 9 May and 18 May, stood out because the 12 May peak was about 46 times higher than the normal daily volume seen during the previous 30 days. Researchers tracking the activity said the pattern resembled earlier reconnaissance that preceded a SonicWall vulnerability disclosure in February, although they stopped short of predicting a new flaw or confirming exploitation.

The scanning focused on SonicOS management interfaces, a sensitive part of firewall infrastructure because such consoles can expose configuration controls, administrative workflows and VPN-related functions when made reachable from the public internet. SonicWall firewalls are widely used by companies, managed service providers and branch-office networks, making them attractive targets for attackers searching for weak access controls, unpatched firmware or misconfigured remote administration.

A notable feature of the May activity was its consistency. About 99 per cent of the observed requests used a single browser user-agent string, Chrome 119 on Linux x86_64, suggesting highly standardised tooling rather than random background noise. More than 99 per cent of the traffic came from networks announced in the Netherlands and Ukraine, while one autonomous system accounted for roughly half of the recorded session volume. Ports 80 and 8080 carried almost all the scanning.

Security specialists view such activity as reconnaissance rather than proof of compromise. Still, the timing has drawn scrutiny because SonicWall disclosed several SonicOS vulnerabilities this year, including CVE-2026-0400 on 24 February. That issue is a post-authentication format string flaw that can allow a remote attacker to crash a firewall. Earlier spikes on 18 January, 30 January and 14 February came 37, 25 and 10 days before that disclosure, creating concern that large scanning bursts may sometimes precede public vulnerability announcements.

See also JDownloader breach raises installer trust fears

SonicWall also issued fixes on 29 April for three SonicOS vulnerabilities affecting Gen 6, Gen 7 and Gen 8 firewalls. The most serious, CVE-2026-0204, involves an access-control weakness that can allow certain management interface functions to become accessible under specific conditions. Two medium-severity flaws, CVE-2026-0205 and CVE-2026-0206, involve path traversal and firewall crash risks. Affected firmware included versions before 6.5.5.2-28n, 7.3.2-7010 and 8.2.0-8009.

The broader concern is that edge devices have become a priority target for criminal and state-linked actors. Firewalls, VPN gateways and routers sit at the perimeter of corporate networks and often remain reachable at all hours. Once compromised, they can give attackers a foothold before endpoint tools detect suspicious activity inside the network.

Ransomware operators have repeatedly exploited weaknesses in remote-access and perimeter appliances across the sector. Groups targeting firewall and VPN products often move quickly after advisories are published, scanning for unpatched systems and using stolen credentials or exposed portals to reach internal networks. That has placed pressure on administrators to treat edge-device patching as an emergency process rather than a routine maintenance task.

For SonicWall users, the immediate risk depends on configuration, firmware status and exposure. Devices with public management interfaces face the highest pressure. Security teams are being urged to restrict management access to known administrative IP ranges, disable unnecessary HTTP and HTTPS management access from the internet, enforce multi-factor authentication on SSL VPN accounts, and review administrative accounts created since 1 May.

Organisations unable to patch immediately are advised to apply temporary mitigations, including limiting access to SSH-only management where appropriate and blocking suspicious infrastructure at the edge. Those steps do not replace firmware updates, but they can reduce attack surface while change-control approvals or maintenance windows are completed.

See also Hackers gamify open-source supply chain attacks

The scanning spike also highlights a wider weakness in traditional defensive models. IP reputation feeds alone may not catch campaigns that rotate through fresh infrastructure or concentrate activity through providers not previously linked to malicious behaviour. Real-time telemetry, longer log retention and alerting on outbound traffic from firewalls are becoming more important as attackers focus on devices that were once treated as trusted security controls.

MENAFN25052026000152002308ID1111165355