Security researchers at GreyNoise have observed a coordinated reconnaissance campaign targeting SonicWall SonicOS infrastructure, logging 84,142 scanning sessions between February 22 and February 25, 2026. The activity originated from 4,305 unique IP addresses spanning 20 autonomous systems and focused on VPN enumeration and credential testing endpoints.
According to GreyNoise, 92% of all observed sessions probed a single SonicOS REST API endpoint designed to determine whether SSL VPN is enabled, indicating a prerequisite check before launching credential-based attacks.
Roughly 32% of total campaign traffic (27,119 sessions) was routed through a commercial proxy service utilizing 4,102 rotating exit IP addresses. The activity occurred in two tightly coordinated bursts lasting a combined 16 hours. The remaining activity was attributed to operationally distinct infrastructure clusters, including a Netherlands-based scanning cluster that simultaneously targeted SonicWall and Cisco ASA devices, suggesting broader VPN mapping objectives across multiple vendors.
The campaign unfolded in four primary bursts, separated by a roughly 31-hour low-activity window, the researchers said.
SonicWall SSL VPN remains one of the popular initial access vectors for ransomware operators. Groups such as Akira and Fog have repeatedly leveraged compromised SonicWall VPN credentials to achieve full network encryption in under four hours, with some dwell times reported as short as 55 minutes.
Since March 2023, Akira alone has compromised at least 250 organizations and generated an estimated $244 million in ransom proceeds. Researchers attribute approximately 75% of SonicWall VPN-related intrusions to Akira and 25% to Fog.
Five of seven SonicWall CVEs tied to this attack surface appear in Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, with four explicitly linked to ransomware campaigns. More than 430,000 SonicWall firewalls are currently exposed to the public internet, including over 25,000 SSL VPN devices vulnerable to critical flaws and 20,000 running unsupported firmware.
GreyNoise previously documented a similar campaign in December 2025 involving nine million sessions from more than 7,000 IP addresses targeting both Palo Alto and SonicWall VPN infrastructure. The February 2026 operation appears to be a continuation of VPN-focused reconnaissance.
More than 99.5% of sessions targeted just two SonicWall-specific paths: the SonicOS REST API VPN status check and the NetExtender VPN client login endpoint.
“The overwhelming concentration on the VPN status API endpoint reveals the campaign’s objective: building a comprehensive list of SonicWall devices with active SSL VPN. This is a prerequisite for credential attacks — identifying which devices are worth targeting before deploying more expensive proxy resources for login testing,” GreyNoise noted.
To minimize the risk of attacks, organizations are strongly advised to restrict management interface access to trusted IP ranges, enforce multi-factor authentication on SSL VPN, patch critical vulnerabilities, including CVE-2024-53704, upgrade unsupported firmware.