Surge in networks scans targeting Cisco ASA devices raise concerns www.bleepingcomputer.com/news/secu…

Large network scans have been targeting Cisco ASA devices, prompting warnings from cybersecurity researchers that it could indicate an upcoming flaw in the products. GreyNoise has recorded two significant scanning spikes in late August, with up to 25,000 unique IP addresses probing ASA login portals and also Cisco IOS Telnet/SSH. The second wave, logged on August 26, 2025, was largely (80%) driven by a Brazilian botnet, using roughly 17,000 IPs. The scanning activity predominantly targeted the United States, while the UK and Germany were also targeted.

GreyNoise has previously explained that such reconnaissance activity precedes the disclosure of new vulnerabilities on the scanned products in 80% of cases. These scans are commonly failed exploitation attempts of already-patched bugs, but they can also be enumeration and mapping efforts in preparation for exploiting new flaws.

System administrators are advised to apply the latest security updates on Cisco ASA to patch known vulnerabilities, enforce multi-factor authentication (MFA) for all remote ASA logins, and avoid exposing /+CSCOE+/logon.html, WebVPN, Telnet, or SSH directly.