Probing of Cisco ASA portals may be a sign of imminent attack
Network admins with Cisco System gear should be on the lookout for signs of attacks. That’s the word from security provider GreyNoise Inc., which said Thursday it’s recently seen suspicious probing on the internet.
Its researchers saw two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August, the company said in a blog. The first involved more than 25,000 unique IPs aimed at ASA login portals in a single burst. The second, smaller but related, followed days later wave repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas.
“This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day,” says the report.
Both events targeted the ASA web login path (/+CSCOE+/logon.html), a common reconnaissance marker for exposed devices. Subsets of the same IPs also probed GreyNoise’s Cisco Telnet/SSH and ASA software personas, “signaling a Cisco-focused campaign rather than purely opportunistic scanning.”
The vast majority of these probes were aimed at ASA installation in the U.S. About 64 per cent of this traffic came from a botnet cluster in Brazil.
The context: Greynoise says its research shows that scanning spikes often precede disclosure of new application vulnerabilities by hardware and software companies. Therefore it could be an early warning signal. In 80 percent of the cases it studied, attackers hit specific technologies weeks before a new vulnerability affecting them was published.
What should network admins do? First, block these IP addresses identified by Greynoise.
Network security tools aimed at preventing intrusions like firewalls, VPNs, email gateways and such from providers like Cisco, Palo Alto Networks, Barracuda Networks, Juniper Networks and others have been targets of threat actors for years.
Researchers at Strobes Security, a U.S.-base threat management provider, listed an unauthenticated file upload and root code execution vulnerability in Cisco ISE (Identity Service Engine) and ISE PIC (CVE‑2025‑20282) as one of the top five vulnerabilities in June.
Greynoise says those with Cisco ASA devices in their networks should
avoid placing ASA web portals, Telnet, or SSH directly on the internet. This, by the way is good advice for any device;
Patch quickly if a new CVE emerges. ASA vulnerabilities have historically been exploited soon after disclosure.
Require anyone remotely accessing a Cisco ASA device — or any internet-connected computer or server — to login with multi-factor authentication.