An extensive reconnaissance effort is targeting SonicWall firewalls globally, with over 4,000 unique IP addresses used to identify susceptible devices. This large-scale campaign is a precursor to potential exploitation attempts aimed at SonicWall SonicOS users. The activity, spanning from February 22 to February 25, 2026, saw threat actors initiate 84,142 scanning sessions originating from 4,305 different IP addresses across 20 autonomous systems.
Potential Impact of the Campaign
The coordinated nature and magnitude of this campaign suggest an imminent exploitation wave, posing a significant threat to thousands of organizations. Historically, SonicWall’s SSL VPN has been a primary access point for ransomware groups. The current campaign targets the SonicOS REST API endpoint, a critical step in identifying active SSL VPNs before launching more aggressive tactics on confirmed targets. Notably, 92% of recorded sessions focused on this API path, indicating the attackers’ intent to build a comprehensive list of potential victims.
Historical Context and Scale
Research by GreyNoise reveals that this campaign involved three distinct operational infrastructure clusters functioning in unison over four days. The pattern mirrors a similar operation documented in December 2025, where attackers conducted nine million scans against both Palo Alto and SonicWall VPN infrastructures using over 7,000 IP addresses with identical client fingerprints. This latest activity signifies a continuation and escalation of previous efforts.
Alarmingly, more than 430,000 SonicWall firewalls are accessible online, with over 25,000 SSL VPN devices harboring critical vulnerabilities and approximately 20,000 running outdated firmware. Since March 2023, the Akira ransomware group exploited SonicWall VPN access to compromise at least 250 organizations, amassing approximately $244 million in ransom payments.
Technical Tactics Employed
A notable aspect of the campaign is the use of a commercial proxy service, which contributed to 32% of the campaign’s volume, or about 27,119 sessions, through 4,102 rotating exit IP addresses managed via Canadian proxy infrastructure. This service, boasting access to over 100 million IP addresses in 150 countries, provided an anonymization layer to obscure the true origin of the scanning traffic.
The proxy usage was meticulously planned, with each exit IP averaging only 6.6 requests to evade rate-limiting and reputation-based blocking. The proxy service’s management platform was offline since December 2025, leaving its exit nodes unmonitored for abuse. Almost 70% of the sessions shared a fingerprint: a GET request over HTTP/1.0 with a Chrome 119 user agent, a combination not used by legitimate browsers, marking it as a signal of automated scanning tools.
Organizations using SonicWall devices are advised to promptly patch CVE-2024-53704, enforce multi-factor authentication for all SSL VPN users, restrict management access to trusted IPs, reset local user passwords from older firmware, monitor for suspicious HTTP/1.0 requests with modern user agents, and decommission unsupported SRA appliances vulnerable to CVE-2021-20028 and CVE-2019-7481.
