Hackers Scanning Cisco ASA Devices to Exploit Vulnerabilities from 25,000 IPs

Cybersecurity

In late August 2025, there was a significant increase in scanning activity targeting Cisco Adaptive Security Appliances (ASAs). This event involved over 25,000 unique IP addresses engaged in coordinated reconnaissance activities.

GreyNoise, a threat intelligence organization, detected two major scanning waves, marking a substantial rise from the usual activity of less than 500 IPs daily. The first wave on August 22 featured approximately 25,000 unique addresses, followed by a related but smaller wave a few days later.

The second wave, dated August 26, was largely attributed to a botnet cluster located in Brazil. Of the approximately 17,000 active IPs that day, over 14,000, accounting for more than 80%, were linked to this botnet operation.

The attackers used shared client signatures and spoofed Chrome-like user agents, indicating the deployment of standardized scanning toolkits across their infrastructure.

Geographic Distribution and Targeting Patterns

Over the past 90 days, the scanning activity displayed distinct geographic patterns. Brazil was the leading source of these scans at 64%, followed by Argentina and the United States, each at 8%.

The attacks were predominantly aimed at U.S. infrastructure, with 97% targeting American networks. The United Kingdom and Germany accounted for 5% and 3% of the attacks, respectively.

Both scanning surges specifically targeted the ASA web login path /+CSCOE+/logon.html, a common marker for identifying exposed devices. Some of the same IP addresses also probed Cisco Telnet/SSH and ASA software personas, indicating a targeted campaign focusing on Cisco devices rather than random scans.

These scanning campaigns suggest a possible upcoming vulnerability disclosure. GreyNoise’s research indicates that spikes in scanning activity often precede new Common Vulnerabilities and Exposures (CVEs) announcements. Historical data reflects similar patterns before past Cisco ASA vulnerability disclosures.

Cisco ASA devices have been targeted by sophisticated threat actors. The ArcaneDoor espionage campaign previously exploited two zero-day vulnerabilities in Cisco ASA systems to infiltrate government networks.

Ransomware groups, such as Akira and LockBit, have historically targeted these devices. The CVE-2020-3452 vulnerability was globally exploited shortly after its disclosure.

Organizations using Cisco ASA infrastructure should promptly assess their exposure, ensure systems are fully updated, and monitor for unusual authentication attempts.

Given the scale and coordination of this scanning activity, it is advisable for security teams to prepare for potential zero-day exploitation attempts and implement additional monitoring around ASA devices.

The extensive scale of this reconnaissance campaign indicates that threat actors may be preparing for a significant vulnerability exploitation wave, making immediate defensive measures crucial for organizations reliant on Cisco ASA security appliances.