In late August 2025, there were two large surges of scanning activity focused on Cisco Adaptive Security Appliance (ASA) devices. The first surge involved more than 25,000 unique IPs probing ASA’s web login path (/+CSCOE+/logon.html), and a second wave followed with somewhat fewer IPs but similar behaviours. These spikes are well above the normal baseline, which is under 500 IPs per day targeting these endpoints. The scans also included attempts against Cisco Telnet/SSH services, suggesting the scan campaign is specifically aimed at Cisco gear rather than being a random broad sweep.

The vast majority of the scanning in the main spike (August 26) came from a Brazilian-based botnet cluster: around 14,000 of ~17,000 IPs were from that one cluster. The scans used overlapping tools, shared client signatures, and spoofed, Chrome-like user agents. GreyNoise suggests this may be an “early warning signal” for a new vulnerability in Cisco ASA devices, as scanning spikes of this kind have presaged public CVE disclosures in past cases. The article recommends reducing exposure by not putting ASA web login portals, Telnet, or SSH services directly on the internet, using multi-factor authentication, and staying on top of patching if new vulnerabilities are disclosed.

‍

Source: https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices