Large-scale scanning campaigns are targeting Cisco Adaptive Security Appliance (ASA) devices, prompting warnings from cybersecurity researchers about the possibility of a new exploit on the horizon. GreyNoise, which tracks mass scanning activity, detected two major surges in late August, with up to 25,000 unique IPs probing Cisco ASA login portals as well as Cisco IOS Telnet and SSH services.
The second wave, recorded on August 26, 2025, was particularly concerning, with 80% of the traffic attributed to a Brazilian botnet. This botnet leveraged roughly 17,000 IP addresses and exhibited consistent Chrome-like user agents, pointing to a likely common origin for the probes. The brunt of this activity targeted U.S. systems, though the UK and Germany also saw significant traffic.
Source: cisco.com.
GreyNoise cautions that such reconnaissance often precedes the disclosure or weaponization of new vulnerabilities. Historically, the group has observed that in 80% of cases, these scanning bursts are followed by vulnerability revelations. While this correlation is somewhat weaker with Cisco compared to other vendors, the pattern still provides defenders with valuable early-warning signals.
Adding to the concern, system administrator “NadSec – Rat5ak” reported overlapping activity starting July 31, escalating in mid-August and culminating on August 28. Within a 20-hour window, Rat5ak logged 200,000 hits against Cisco ASA endpoints, delivered in bursts of 10,000 per IP. The traffic was traced to three autonomous systems: Nybula, Cheapy-Host, and Global Connectivity Solutions LLP.
While such scans often represent failed attempts against already patched vulnerabilities, researchers caution they can also reflect active enumeration and mapping of devices for exploitation once a new flaw is disclosed. This reconnaissance-first, exploit-later pattern has become a hallmark of coordinated botnet-driven campaigns.
Administrators are urged to apply Cisco’s latest security updates, enforce multi-factor authentication for ASA remote access, and avoid exposing sensitive services such as /+CSCOE+/logon.html, WebVPN, Telnet, or SSH directly to the internet. Where external access is unavoidable, experts recommend using VPN concentrators, reverse proxies, or access gateways. Organizations should also consider preemptive measures such as geo-blocking, rate limiting, and using GreyNoise and Rat5ak’s published indicators to detect and block scanning attempts.
