Do Son 
The GreyNoise Intelligence team has observed two unusually large waves of scanning activity targeting Cisco Adaptive Security Appliance (ASA) devices in late August 2025, raising concerns that attackers may be preparing to exploit a new vulnerability.
According to the report, “the first involved more than 25,000 unique IPs in a single burst; the second, smaller but related, followed days later. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day.”
Both spikes focused on the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance point for exposed Cisco devices. Subsets of the same IPs also probed Cisco Telnet/SSH and ASA software personas, suggesting a Cisco-focused campaign rather than opportunistic mass scanning.
GreyNoise noted that “overlapping client signatures and spoofed Chrome-like user-agents” were observed across both events, pointing to the use of a common scanning toolkit.
Analysis of the larger August 26 wave revealed that most of the scanning originated from a single botnet cluster in Brazil.
- 16,794 IPs scanned Cisco ASA devices that day.
- Roughly 14,000 IPs (80%) were linked to the same fingerprint.
- The botnet used a consistent suite of TCP signatures, indicating a shared stack and tooling.
GreyNoise concluded: “This makes the August 26 spike attributable to a coordinated botnet campaign dominated by Brazil-sourced infrastructure.”
GreyNoise cautions that scanning spikes are often early warning signals of pending vulnerability disclosures. “In past cases, activity against GreyNoise’s Cisco ASA Scanner tag surged shortly before a new ASA vulnerability was disclosed. The late-August spikes may represent a similar early warning signal.”
If true, attackers could be racing to map vulnerable devices before details of a new exploit surface. Even fully patched organizations may still face risk, as IP addresses used for reconnaissance today could inform future exploitation campaigns.
Related Posts:
- Firefox’s New AI Feature Is Causing Major CPU Spikes and Draining Batteries
- A Storm Is Coming: A Massive Coordinated Attack Is Probing RDP Connections
- SPIKEDWINE’s Espionage Campaign with WINELOADER Backdoor Revealed
- Iranian Cyber Group Emennet Pasargad’s Expanding Operations Targeting Global Networks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
