IOCs (which should probably be linked on the Cisco support page)
https://blog.talosintelligence.com/uat-9686/
172.233.67.176 (linode)
172.237.29.147 (linode)
38.54.56.95 (Kaopu Cloud HK Limited)
I suspect probably China, has overlaps with a group doing Cisco ASA backdooring with #CyberWillyWave a few months ago
Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).
New Cisco ASA #CyberWillyWave scan
Rescan happening now too, results probably Friday.
CISA are warning US government organisations they still haven't patched for #CyberWillyWave. Which is true. New scan data coming at the weekend.
Btw - one observation from the #CyberWillyWave ASA data - less devices respond each time I scan. They’re not blocking me - the devices are just offline.
I know a few regional CERTs have been using the data to inform orgs to patch, I think what’s happening is orgs are finding they have old devices and are nuking them. I’m free attack surface management!
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results on probably Wednesday.
Patch rates are at 25% complete, two weeks in.
Y'all probably want to patch.
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results at weekend.
Patch rates are at 22% complete, two weeks in.
Y'all probably want to patch.
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results at midweek.
Patch rates are still below 20%.
Edit: #CyberWillyWave
My Cisco ASA firmware versions scan is now public: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the firmware was complied August 2025 or later.
New scan running now, results at weekend.
It gives you a very good indication as to how regularly orgs patch, e.g.
Kevin Beaumont
