Cisco has just released two new vulnerabilities affecting its Adaptive Security Appliance (ASA) that have been marked as zero-day (CVE-2025-20333 and CVE-2025-20362). In fact, cybercriminals have already used these vulnerabilities in successful real-world attacks. This permissive environment has opened the door to deployment of dangerous malware families such as RayInitiator and LINE VIPER. The announcement is alarming both due to the security posture of Cisco ASA devices and because it opens the door to exploit that can be used at scale.
In early September 2025, GreyNoise observed a massive uptick in scanning activity targeting Cisco ASA devices. More than 1,300 distinct IP addresses were included in this sudden torrent. Clearly though, the majority of these IP addresses are from the US. We’ve seen that smaller dynamic in the United Kingdom, the Netherlands, Canada, and Russia as well. What’s more, 93% of these IP addresses have been identified as suspicious, with the other 7% considered malicious.
Disturbing Trends in Scanning Activity
GreyNoise observed a significant increase in attack scanning activity targeted towards Cisco ASA devices. This incident appears to be similar to the recent trend targeting Palo Alto Networks’ PAN-OS GlobalProtect gateways. For some reason on October 3, 2025 unique IP addresses probing admin portals of Palo Alto Networks rose to nearly 6000. It jumped almost 500%, reaching a staggering new high of more than 25,100 IP addresses.
“This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,” noted GreyNoise. The organization further clarified that in both scanning occurrences there was regional clustering. They pointed out that there was a surprising amount of overlap in the tools used by attackers.
The targeted scanning of Palo Alto login portals provides a simple pattern. This reflects a cynical, but calculated, effort to take advantage of known weaknesses to further their agenda. GreyNoise just made public a pretty fascinating dataset. Both Cisco ASA and Palo Alto login scanning traffic are highly indicative by a clear TSL fingerprint associated with infrastructure in the Netherlands.
Warning for Customers
It’s a positive sign that leaders like Palo Alto Networks have been paying attention to these developments. They strongly encourage their clients to always use the most recent versions of their software. “The security of our customers is always our top priority,” stated a representative from Palo Alto Networks. This forward-looking approach strongly reinforces the company’s dedication to safeguarding users against new and evolving threats.
With today’s surge in brutal scanning activity, this is a troubling trend for organizations. It’s particularly focused on Cisco ASA and Palo Alto Networks devices, which has security practitioners worried. As attackers become more sophisticated in their methods, it is crucial for companies to remain vigilant and implement necessary security measures.