Cisco ASA Zero-Days: When Threat Intelligence Predicted the Attack

November 11, 2025

How GreyNoise detected the Cisco ASA attack weeks before it went public

Cisco ASA Zero-Days: When Threat Intelligence Predicted the Attack

The Canary in the Coal Mine

Back in August 2025, GreyNoise observed something unusual: over 25,000 unique IPs suddenly started scanning Cisco ASA devices in coordinated waves. This wasn’t normal internet background noise - the typical baseline sat under 500 IPs daily. Something was brewing.

Fast forward to late September, and Cisco disclosed two zero-day vulnerabilities being actively exploited in the wild: CVE-2025-20362 and CVE-2025-20333. The same attack surface that GreyNoise saw being probed weeks earlier.

This is a textbook case of threat intelligence predicting real-world exploitation. Here’s what happened, why it matters, and what you need to do if you’re running Cisco ASA or FTD.

What GreyNoise Saw

The scanning campaign that GreyNoise detected in late August had clear markers:

  • Massive volume spike: 25,000+ unique IPs in a single burst
  • Specific targeting: /+CSCOE+/logon.html - the ASA web login portal
  • Coordinated behavior: Overlapping client signatures, spoofed Chrome user-agents
  • Botnet attribution: ~80% of IPs shared a common fingerprint, 64% originating from Brazil
  • Multi-vector probing: Subsets also scanned Cisco IOS Telnet/SSH and ASA software personas

This wasn’t opportunistic scanning. This was reconnaissance for a planned attack.

GreyNoise’s full analysis is worth reading - they caught the early warning signals that most organizations missed.

The Vulnerabilities

When chained together, these two CVEs give an unauthenticated attacker complete control of your firewall.

CVE-2025-20362: Path Traversal Authentication Bypass

A path normalization issue allows unauthenticated attackers to access restricted URL endpoints. This is actually a patch bypass of CVE-2018-0296 - an older vulnerability that apparently wasn’t fully fixed. The exploit is trivial.

  • CVSS Score: Critical
  • Attack Vector: Unauthenticated, remote
  • Impact: Authentication bypass

CVE-2025-20333: Heap Buffer Overflow RCE

A heap-based buffer overflow in a Lua endpoint leads to root-level remote code execution. Improper validation of HTTP(S) request input is the root cause. While not trivial to exploit on its own, when combined with CVE-2025-20362…

  • CVSS Score: Critical
  • Attack Vector: Remote (requires auth normally, but bypass via CVE-2025-20362)
  • Impact: Complete system compromise

The Exploitation Chain

Cisco ASA Attack Chain

No credentials needed. Full control achieved through chaining these two vulnerabilities.

Who’s Behind This

The attack campaign is attributed to UAT4356 (also known as Storm-1849), the same threat actor behind the ArcaneDoor campaign from April 2024. They primarily target government networks worldwide for data exfiltration.

This is nation-state level sophistication, but once exploits are public, the risk expands far beyond government targets.

The Current Threat

As of November 2025, these vulnerabilities are being actively exploited in the wild. CISA added both to its Known Exploited Vulnerabilities Catalog and issued Emergency Directive ED 25-03 ordering federal agencies to identify and mitigate potential compromises.

On November 5, Cisco reported a new attack variant that can cause unpatched devices to unexpectedly reload, leading to denial of service conditions. The threat is evolving.

What You Need to Do Right Now

If you’re running Cisco ASA or FTD, here’s your action plan:

1. Identify Affected Devices

Cisco ASA and FTD devices with web services enabled are vulnerable. Check your inventory:

# SSH into your ASA/FTD and check version
show version

Affected versions span ASA and FTD software. Consult Cisco’s advisory for the full list.

2. Apply Patches Immediately

Cisco has released patches. There is no workaround - you must patch.

  • Download updates from Cisco’s Security Center
  • Test in a lab environment if possible
  • Deploy to production with an emergency change window

3. Check for Compromise

These vulnerabilities were exploited as zero-days before disclosure. You need to check if you’ve already been compromised:

Log Analysis:

  • Review web service access logs for unusual /+CSCOE+/ requests
  • Look for unexpected authenticated sessions
  • Check for configuration changes you didn’t make

Network Traffic:

  • Enable Snort rules 65340 (CVE-2025-20333) and 46897 (CVE-2025-20362)
  • Monitor for lateral movement from firewall IPs
  • Look for data exfiltration patterns

System Integrity:

  • Compare current running config against known-good backups
  • Check for unauthorized user accounts
  • Review VPN configurations for backdoor access

If you find indicators of compromise, assume breach and initiate incident response. These actors are after data exfiltration.

4. Harden Configuration

While patching is the only fix, defense in depth matters:

  • Restrict management interface access to trusted networks only
  • Implement strict IP allowlisting for administrative access
  • Enable multi-factor authentication for all accounts
  • Monitor and alert on configuration changes
  • Keep detailed logs and ship them to a SIEM

5. Consider Alternatives

If you can’t patch immediately (legacy devices, vendor support issues, etc.), you have two options:

Option A: Disable Web Services If you don’t need ASDM or WebVPN, disable web services entirely:

no http server enable

This removes the attack surface but also removes management capabilities.

Option B: Network Isolation Place ASA/FTD devices behind additional security controls and restrict access from the internet. Not a solution, but buys time.

The Bigger Picture

This incident highlights why threat intelligence matters. GreyNoise’s detection of scanning surges in August gave defenders weeks of advance warning - if they were paying attention.

Most organizations aren’t monitoring internet-wide scanning behavior. They’re reactive, waiting for vendor advisories. By the time CVEs are public, exploitation is often already underway.

The attackers were conducting reconnaissance in August. Exploits went public in September. Active campaigns ramped up through October. If you’re patching now in November, you’re already behind.

Lessons Learned

For Security Teams:

  • Threat intelligence isn’t just IOCs and CVSS scores - behavioral analysis matters
  • Scanning surges often precede exploitation campaigns
  • Zero-days aren’t always zero-days by the time you hear about them

For IT Managers:

  • Emergency patching processes need to be faster
  • Network segmentation limits blast radius when perimeter devices are compromised
  • Security vendors can’t be your only source of truth

For Everyone:

  • The time between reconnaissance and exploitation is shrinking
  • Nation-state tools become commodity exploits within weeks
  • Perimeter devices are high-value targets - treat them accordingly

Final Thoughts

The Cisco ASA/FTD vulnerabilities are a wake-up call. Not because they’re uniquely severe - critical RCE bugs happen. But because the attack timeline was visible weeks in advance for anyone watching the right signals.

GreyNoise published their analysis. The scanning data was there. The reconnaissance was observable. And yet, most organizations didn’t know they were being targeted until Cisco published the CVEs.

If you’re running Cisco ASA or FTD, patch now. If you’ve already been compromised, you’re in incident response mode.

And if you’re not monitoring threat intelligence beyond vendor advisories, you’re fighting yesterday’s war.

Resources: