Tuesday , July 14 2026
SonicWall firewall

SonicWall Firewall Targeted by Hackers; 597,000 Sessions Observed

A big increase in scanning across the internet for SonicWall firewall management interface has been observed. GreyNoise, a threat intelligence company, found a big increase in scans of SonicWall SonicOS management APIs from May 9 to May 18, 2026.

The most notable spike occurred on May 12, when approximately 597,000 sessions were recorded in a single day. This represents a roughly 46-fold increase compared to the average daily activity observed over the previous 30 days.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

This is the highest single-day activity seen on the SonicWall SonicOS API Scanner tag in the last 90 days. It shows a big, planned effort to check exposed firewall interfaces.

Hackers Scan SonicWall Firewalls

Earlier this year, GreyNoise researchers noticed a rise in activity that came before the announcement of CVE-2026-0400, a SonicWall flaw shared on February 24, 2026.

The increases on January 18, January 30, and February 14 happened 37, 25, and 10 days before that news, respectively.

This connection does not prove a new weakness, but it shows a pattern where attackers start looking for problems before public announcements or attacks.

GreyNoise says the recent increase is a signal, not a guess, but it could show early surveillance.

Analysis of the GreyNoise scanning traffic reveals consistent tooling and infrastructure:

Tooling: Nearly 99% of requests use a Chrome 119 user-agent on Linux x86_64, matching earlier campaigns where 94.5% of traffic used the same fingerprint.

Source infrastructure: Around 56% of traffic originates from networks in the Netherlands and 44% from Ukraine, accounting for over 99% of observed sessions.

ASN concentration: A single autonomous system (AS211736) contributes roughly half of the total scanning volume.

Targeted services: Ports 80 and 8080 (HTTP) are almost exclusively targeted, indicating focus on web-based management interfaces.

Classification: The majority of source IPs are categorized as suspicious by GreyNoise.

Security teams that use SonicWall devices should act quickly to lower risks and be ready for possible hacking attempts:

Immediate actions:

Limit SonicOS management API and SSL VPN access to trusted IPs only.
Remove public access to firewall management interfaces.
Enforce MFA for all SSL VPN users.
Audit systems for unauthorized admin accounts created after May 1, 2026.
Deploy dynamic IP blocklists to filter suspicious sources.

Even though there is no new flaw confirmed, the amount and type of this activity show that defenders should see this increase as a warning sign.

Check Also

Tenda

CERT/CC Alerts to Hidden Admin Backdoor in Tenda Router Firmware

Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to …