Cisco ASA Devices Face Surge in Network Scans
▼ Summary
– Large network scans targeting Cisco ASA devices suggest an upcoming vulnerability, with two major spikes in late August involving up to 25,000 IPs probing login portals.
– The second scanning wave on August 26, 2025, was primarily driven by a Brazilian botnet using about 17,000 IPs, with overlapping user agents indicating a common origin.
– Such reconnaissance activity often precedes new vulnerability disclosures, with 80% correlation for scanned products, though historically weaker for Cisco.
– A separate report by NadSec – Rat5ak details escalating scans from July 31 to August 28, including 200,000 hits on Cisco ASA endpoints in 20 hours from three specific ASNs.
– Defenders are advised to apply security updates, enforce MFA, avoid exposing certain services directly, and use indicators from reports to block or limit scanning attempts.
A significant surge in network scanning activity has been detected targeting Cisco ASA devices, raising alarms among cybersecurity professionals who warn this could signal an impending vulnerability exploit. Researchers from GreyNoise observed two major spikes in late August, with as many as 25,000 unique IP addresses probing login portals and management services on these widely used security appliances.
The second wave, recorded on August 26, 2025, was largely driven by a Brazilian botnet responsible for approximately 80% of the traffic, utilizing nearly 17,000 IP addresses. Both scanning campaigns employed overlapping Chrome-like user agents, pointing toward a coordinated and likely singular source behind the activity.
Geographically, the scanning efforts focused most heavily on the United States, though targets in the UK and Germany were also identified. Historical analysis indicates that such widespread reconnaissance often precedes the public disclosure of new security flaws, a pattern observed in about 80% of cases across various technology vendors. While the statistical correlation has been somewhat weaker for Cisco compared to other manufacturers, the intelligence remains invaluable for defenders looking to bolster monitoring and response capabilities.
Often, these types of scans represent failed attempts to exploit already-patched vulnerabilities. However, they can also serve as enumeration and mapping operations in preparation for attacks leveraging unknown or unpatched weaknesses.
An independent report from system administrator NadSec – Rat5ak describes overlapping activity that began on July 31 with low-level opportunistic scans. These intensified through mid-August and peaked on August 28, when roughly 200,000 hits were recorded against Cisco ASA endpoints within a 20-hour window. The traffic displayed highly automated characteristics, with a consistent volume of approximately 10,000 requests per IP.
According to the administrator, the malicious traffic originated from three autonomous system numbers (ASNs): Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
In response to these threats, administrators are strongly urged to apply all recent security updates for Cisco ASA devices to address known vulnerabilities. Enforcing multi-factor authentication (MFA) for all remote logins is critical, as is avoiding direct exposure of sensitive services such as /+CSCOE+/logon.html, WebVPN, Telnet, or SSH.
For organizations requiring external access, the use of a VPN concentrator, reverse proxy, or dedicated access gateway is recommended to implement stricter access controls. Additionally, defenders can leverage indicators of compromise shared in reports from GreyNoise and Rat5ak to block scanning attempts preemptively. Implementing geo-blocking and rate limiting for regions outside normal business operations can further reduce risk.
Cisco has been contacted for comment regarding these observations, and updates will follow as more information becomes available.
(Source: Bleeping Computer)
