512/68 Monday, December 8, 2025
systems, with ongoing login attempts and network scanning activities. The attacks originate from over 7,000 IP addresses, many of which are linked to hosting infrastructure based in Germany, and have since expanded to target the SonicWall SonicOS API.
Analysis indicates that attackers initially attempted to access GlobalProtect through brute-force password guessing, before shifting to scan SonicWall endpoints. SonicOS is the operating system used by SonicWall firewalls for remote configuration and management. Such scanning is typically performed to identify vulnerable endpoints or weak configurations, as preparation for follow-up attacks. Researchers also noted that the attack techniques are consistent with activity observed in September and November, suggesting a continued and coordinated campaign.
Cybersecurity authorities advise organizations using affected devices to closely monitor unusual login activity, track repeated attempts from suspicious sources, and block associated IP addresses immediately. They also recommend enabling Multi-Factor Authentication (MFA) to improve login security.
Vendors have confirmed that the observed behavior is the result of password-guessing attacks, and not exploitation of software vulnerabilities.
