Warning: Massive Botnet Is Scanning for Cisco ASA Vulnerabilities

by ddos · September 10, 2025

At the end of August, GreyNoise recorded a sharp surge in scanner activity targeting Cisco ASA devices. Experts warn that such waves often precede the discovery of new vulnerabilities in these products. This time, two distinct spikes were observed: in both cases, attackers conducted mass probes against ASA authentication pages as well as Telnet/SSH access points in Cisco IOS.

On August 26, researchers noted a particularly large-scale campaign orchestrated by a botnet operating out of Brazil. It mobilized nearly 17,000 unique IP addresses, generating as much as 80% of the total traffic. In total, up to 25,000 IP sources were identified. Notably, during both spikes, the attackers used similar browser headers designed to mimic Chrome, suggesting a shared infrastructure.

The primary impact was felt in the United States, though the United Kingdom and Germany were also affected. According to GreyNoise, approximately 80% of such reconnaissance activity historically leads to the disclosure of new security flaws, though the correlation is weaker for Cisco products compared to other vendors. Nevertheless, such indicators allow administrators to strengthen defenses in advance.

In some cases, the scans may represent failed attempts to exploit already patched vulnerabilities. Yet, the sheer scale of the campaign also points to a systematic effort to map available services in preparation for leveraging zero-day weaknesses. An independent system administrator operating under the alias NadSec – Rat5ak reported similar activity beginning in late July and peaking by August 28. He documented more than 200,000 connection attempts against ASA within a 20-hour period, with a steady load of 10,000 requests per IP address, indicating a high degree of automation. The sources were traced back to three autonomous systems: Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.

Administrators are strongly advised to apply the latest Cisco ASA updates without delay to close known vulnerabilities, enable multi-factor authentication for all remote logins, and avoid exposing /+CSCOE+/logon.html, WebVPN, Telnet, or SSH interfaces directly to the internet. Where external access is absolutely necessary, routing it through a VPN concentrator, reverse proxy, or gateway with additional validation is recommended. Furthermore, defenders can leverage indicators of attack published by GreyNoise and Rat5ak to block suspicious requests at the perimeter, and, if needed, implement geo-blocking and rate limiting.

Cisco has yet to issue an official comment on the matter.