Hackers Actively Scan SonicWall Firewall Interfaces as 597,000 Sessions Observed

**Executive summary:** GreyNoise observed a sharp surge in automated scanning of SonicWall SonicOS management interfaces between May 9–18, 2026 (peaking at ~597,000 sessions on May 12), characterized by a uniform Chrome 119 user-agent, concentrated ASN activity, and geography from the Netherlands and Ukraine; researchers note similarities to prior scanning waves that preceded the public disclosure of CVE-2026-0400 and advise restricting management access, enforcing MFA, reviewing admin accounts, and monitoring for suspicious traffic.