FHN 
Hackers are actively mapping SonicWall firewalls worldwide. In just four days, over 84,000 SonicOS scanning sessions were launched from more than 4,300 unique IP addresses to identify devices with SSL VPN enabled.
Most of the traffic (92%) targeted a single SonicOS REST API endpoint used to check SSL VPN status. The activity was coordinated across three infrastructure clusters, with a commercial proxy network rotating over 4,000 IP addresses in short bursts to evade detection.
While this campaign focused mainly on reconnaissance, several critical SonicWall vulnerabilities remain high-risk targets:
- CVE-2024-53704 (CVSS 9.8, CISA KEV, ransomware-linked)
- CVE-2024-40766 (CVSS 9.8, used by Akira and Fog ransomware)
- CVE-2021-20028 (CVSS 9.8, CISA KEV listed)
- CVE-2024-38475 (CVSS 9.1)
- CVE-2019-7481 (CVSS 7.5, ransomware-linked)
- CVE-2022-22274 (CVSS 9.8)
- CVE-2023-0656 (CVSS 7.5)
Security researchers assess this activity as pre-exploitation reconnaissance. Attackers appear to be building a high-value list of exposed SSL VPN endpoints for future credential stuffing and vulnerability exploitation.
VPN Access Is the Fastest Way In
SonicWall SSL VPN has become a common entry point for ransomware groups, especially Akira. Researchers have shown that once attackers gain VPN access, they can move to full network encryption in under four hours — sometimes in less than one.
Recent scanning shows attackers are heavily targeting the API endpoint that reveals whether SSL VPN is enabled. This indicates they are building a target list of exposed devices before launching credential stuffing or vulnerability-based attacks.
Since March 2023, Akira has compromised hundreds of organizations and generated hundreds of millions in ransom payments. Fog ransomware has also used SonicWall VPN access as an initial foothold.
Several high-risk vulnerabilities make this worse. Five of the seven key SonicWall CVEs tied to this attack surface are listed in CISA’s Known Exploited Vulnerabilities catalog. One of the most critical is CVE-2024-53704 (CVSS 9.8), an authentication bypass flaw in SonicOS and NSv appliances that is already being exploited in the wild.
With over 430,000 SonicWall firewalls exposed to the internet — many running outdated firmware — attackers have a large and accessible attack surface.
Organized Scanning Infrastructure
GreyNoise identified four coordinated clusters behind the February 2026 scans, all focused on VPN discovery and credential testing.
Attackers used proxy networks, rotating IPs, ports, and browser fingerprints to evade detection, with nearly 70% of traffic sharing the same automated Chrome-on-Linux HTTP/1.0 signature.
Reconnaissance Before the Real Attack
This pattern closely resembles earlier campaigns where large-scale VPN scanning was followed by credential-based intrusions.
The current activity appears to be reconnaissance — mapping exposed SSL VPN services and identifying weak targets. History shows that exploitation typically follows this phase.
Organizations should immediately restrict VPN management access, enforce multi-factor authentication for all SSL VPN users, and urgently patch CVE-2024-53704 and other SonicOS vulnerabilities. Without action, this scanning phase could quickly evolve into widespread ransomware incidents.
About the Author
