In late August 2025, cybersecurity researchers observed an unprecedented increase in scanning activities targeting Cisco Adaptive Security Appliances (ASAs). Over 25,000 unique IP addresses were involved in coordinated reconnaissance efforts, marking a significant escalation from the typical daily baseline of fewer than 500 IPs.
Details of the Scanning Campaign
GreyNoise, a threat intelligence firm, identified two distinct waves of scanning activity. The first, on August 22, involved approximately 25,000 unique IP addresses. A subsequent, smaller campaign occurred days later. Notably, the August 26 wave was primarily driven by a single botnet cluster concentrated in Brazil. Of the roughly 17,000 active IPs that day, more than 14,000—over 80%—were linked to this coordinated botnet campaign.
Attackers employed shared client signatures and spoofed Chrome-like user agents, indicating the use of common scanning toolkits across their infrastructure. Researchers noted that the client signature was observed alongside a suite of closely related TCP signatures, suggesting that all nodes shared a common stack and tooling, confirming the coordinated nature of the campaign.
Geographic Distribution and Targeting Patterns
Over the past 90 days, scanning activity exhibited distinct geographic patterns. Brazil accounted for 64% of the source countries, followed by Argentina and the United States at 8% each. However, the targeting was heavily focused on U.S. infrastructure, with 97% of attacks aimed at American networks. The United Kingdom and Germany accounted for 5% and 3% of the targets, respectively.
Both scanning surges specifically targeted the ASA web login path `/+CSCOE+/logon.html`, a common reconnaissance marker used to identify exposed devices. Subsets of the same IP addresses also probed Cisco Telnet/SSH and ASA software personas, indicating a deliberate focus on Cisco devices rather than opportunistic scanning.
Implications and Recommendations
The timing and scale of these scanning campaigns may signal an impending vulnerability disclosure. GreyNoise’s Early Warning Signals research has demonstrated that scanning spikes often precede the announcement of new Common Vulnerabilities and Exposures (CVEs). Historical data shows similar activity surges occurred shortly before previous Cisco ASA vulnerability disclosures.
Cisco ASA devices have been prime targets for sophisticated threat actors. The ArcaneDoor espionage campaign previously exploited two zero-day vulnerabilities in Cisco ASA systems to infiltrate government networks. Ransomware groups, including Akira and LockBit, have also historically targeted these devices. For instance, CVE-2020-3452 was weaponized globally within days of its disclosure.
Organizations utilizing Cisco ASA infrastructure should immediately review their exposure, ensure systems are fully patched, and monitor for unusual authentication attempts. Given the scale and coordination of this scanning activity, security teams should prepare for potential zero-day exploitation attempts and consider implementing additional monitoring around ASA devices.
The unprecedented scale of this reconnaissance campaign suggests that threat actors may be positioning for a significant vulnerability exploitation wave. Immediate defensive preparations are critical for organizations relying on Cisco ASA security appliances.
