CVE-2026-0400
published 2026-02-24CVE-2026-0400: A post-authentication Format String vulnerability in SonicOS allows a remote attacker to crash a firewall.
PriorityP429medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.43%
34.0th percentile
A post-authentication Format String vulnerability in SonicOS allows a remote attacker to crash a firewall.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sonicos | < 7.3.2-7010 | 7.3.2-7010 |
| sonicwall | sonicos | < 8.2.0-8009 | 8.2.0-8009 |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
| sonicwall | sonicos | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Greynoiseio
A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400
blogs_greynoiseio·2026-05-21·CVSS 4.9
CVE-2026-0400 [MEDIUM] A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400
Between May 9 and May 18, 2026, GreyNoise observed a significant new spike in scanning of SonicWall SonicOS management interfaces. The May 12 peak — approximately 597,000 sessions — was the largest single-day total recorded on the SonicWall SonicOS API Scanner tag in the past 90 days, roughly 46× the typical daily volume for this tag in the 30 days before the elevation.
Similar elevations in activity against this GreyNoise tag have preceded new vulnerability disclosures affecting SonicWall (Ten Days Before Zero, GreyNoise 2026).
Activity on this tag spiked three times in an earlier sequence — on January 18, January 30, and February 14 — at 37, 25, and 10 days before the February 24 disclosure of CVE-2026-0400. The current spike may be a similar early warning.
The relationship is one obs
Greynoiseio
The Internet Changes Before the Advisory Drops
blogs_greynoiseio·2026-04-20·CVSS 4.9
CVE-2026-20127 [MEDIUM] The Internet Changes Before the Advisory Drops
Before Cisco published its advisory for CVE-2026-20127 — a CVSS 10.0 zero-day cited in a Five Eyes joint warning — GreyNoise sensors had already observed eight distinct surges of Cisco-targeting activity. The earliest arrived 39 days before disclosure. Each one came closer than the last. A new study finds this pattern is not an anomaly.
What the Data Shows
Over 103 days, GreyNoise tracked 147.8 million sessions across 276 vendor-specific tags covering 18 network infrastructure vendors. Of 104 detected surge events, 68 preceded a vendor-matched CVE — spanning 33 vulnerabilities across 16 vendor families. Statistical testing confirmed the pattern is not coincidence.
Median lead time: 11 days. 49% of surges arrived within 10 days of disclosure. 78% within 21 days.
Session volume is the
2026-02-24
Published