264,000 intrusion events were recorded against UK healthcare networks in January–May 2026 — roughly ten times the 27,000 events SonicWall logged for the whole of 2025, according to the vendor’s intrusion prevention system (IPS) sensors deployed across its UK healthcare clients.
SonicWall IPS sensors recorded a tenfold surge
SonicWall’s IPS sensors detected 264,000 individual events in the first five months of 2026 compared with 27,000 for the whole of 2025. That volume translates to around 11,000 events per sensor in January–May 2026, “more than any other vertical,” the vendor said. SonicWall summed up the pressure on health networks by saying the UK’s healthcare sector is being “stress-tested to breaking point.”
Log4Shell remains the dominant attack vector while React2Shell appears in patient portals
The data reveal a mix of old and new exploit attempts. Two-fifths (41%) of events detected by SonicWall were attempts to exploit Log4Shell, a vulnerability in a popular Java-based logging utility “first discovered and patched in 2021.” At the same time, the vendor reported attempts to exploit a critical remote code execution vulnerability in the React.js JavaScript library (referred to in the report as React2Shell), which SonicWall said is found in “newly deployed patient portals.”
F5 BIG-IP authentication bypass attempts hit one-third of sensors
SonicWall’s telemetry showed that a third (33%) of sensors recorded authentication bypass attacks on F5 BIG-IP load balancers. The vendor noted these devices “have been a popular target over recent years as they are widely deployed across the health service.”
Patching constraints, “zombie tech,” and the digitization gap
SonicWall highlighted operational constraints that complicate remediation. “The fact that [Log4j] remains the most active attack vector against UK healthcare environments in 2026 points to a straightforward problem: clinical Java middleware, patient-facing web applications, and legacy hospital IT systems have not been updated,” it said. The vendor added: “In an environment where unplanned downtime can affect patient care, the calculus around patching is complicated, but the data makes clear that the cost of delay is measured in attack volume, not just theoretical risk.”
Spencer Starkey, EMEA executive vice president at SonicWall, framed the situation as a “double-edged crisis”: “Attackers are targeting our hospitals, and stress-testing them to breaking point. Zombie tech, ancient unpatched systems and legacy Java keep haunting the NHS because administrators can't just take a critical care system offline to patch it,” he continued. “Meanwhile, the rush to digitize has opened the door to brand-new web vulnerabilities in patient portals. Threat actors have clocked the gap between old and new, and they're scanning for it relentlessly.”
How technologists, policymakers and patients are implicated
- Technologists and security teams: the SonicWall data point to simultaneous pressure on teams to defend legacy Java middleware and newly deployed web-facing patient portals. The vendor suggested part of the spike could reflect “newly exposed infrastructure now connected to the internet,” and said the surge coincides with a global rise in ICS/OT attacks from early 2026.
- Policymakers and regulators: the threat profile prompted the National Cyber Security Centre (NCSC) to publish a new plan “designed to build cyber resilience in the sector.” SonicWall also raised the possibility that the intensity of attacks could reflect “intensified targeting perhaps from Iran,” a factor policymakers may weigh against defensive measures.
- Patients and clinical staff: SonicWall’s repeated emphasis that unplanned downtime can affect patient care underlines the operational trade-offs faced by administrators who cannot simply take critical systems offline to patch them, while also confronting active exploit attempts on both longstanding and newly introduced software.
The picture SonicWall paints is stark: attack volumes that are concentrated on both a long-dormant vulnerability and newly introduced application code, wide probing of load balancers, and operational limits on taking systems offline to update them. With the NCSC having issued a new resilience plan and SonicWall warning of a “double-edged crisis,” the central operational question is whether health-service administrators can bridge the gap between immutable legacy systems and rapidly evolving web-facing infrastructure without further stretching clinical services.
