TWO unusually large waves of scanning activity targeted Cisco Adaptive Security Appliance (ASA) devices in late August 2025, with GreyNoise Intelligence noting a surge that could indicate attackers preparing to exploit a new vulnerability. According to GreyNoise, the first wave involved more than 25,000 unique IPs in a single burst, and a second, smaller but related wave followed days later, representing a significant elevation above baseline.
Both spikes focused on the ASA web login path (/+CSCOE+/logon[.]html) and some of the same IPs probed Telnet/SSH and ASA software personas, suggesting a Cisco-focused campaign rather than opportunistic scanning. GreyNoise observed overlapping client signatures and spoofed Chrome-like user-agents across both events, indicating a common scanning toolkit, with analysis of the larger wave attributing most activity to a single botnet cluster in Brazil.
On 26 August 2025, 16,794 IPs scanned Cisco ASA devices, with roughly 14,000 IPs (80%) linked to the same fingerprint, and the botnet using a consistent suite of TCP signatures, implying a shared stack and tooling.