Kevin BeaumontIf you like China goes brr and cyber willy waves, today will be a good day
Three new CVEs for Cisco AnyConnect/ASA
CVE-2025-20333
CVE-2025-20363
CVE-2025-20362
Chained and under active exploitation since earlier in the year
These are really important to patch btw, it's unauth RCE in Cisco AnyConnect/ASA and yes - zero day, despite the wording. China goes brrr, expect the interweb to get plastered with details soon. #CyberWillyWave
To find your org on .@shodan search for:
"acSamlv2Error=" "webvpnc=" "Cache-Control: no-store"
Then add org:YourOrg or ssl:YourOrg
And yes, @greynoise caught #CyberWillyWave as soon as it started. https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming
GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day.
Fixed versions, get to the ones highlighted in yellow ASAP as china goes double brr now
If you're on an unsupported ASA release you want to put it in the bin. If it didn't have secure boot, woops.
If anybody knows anybody at CISA, they have wrong/non-existent CVE on their executive order thingy, it's a typo that needs fixing. Edit: fixed.
With the Cisco blog, it reads like there is no problem.. but like, RCE vuln is RCE and still a problem.
Just because secure boot works (yay btw) doesn't mean there's no problem - of course they'll be no evidence on the box.
Interestingly, although the Cisco blog says the USG approached them in May 2025, the first vuln - CVE-2025-20333 - was fixed just over a year ago (around September 2024 product updates).
Another angle to that - it suggests a whole lot of orgs don't patch Cisco ASA edge devices. Which we already know from the Akira ransomware incidents -- which were using 5 year old vulns.
Just remembered I hashtagged all this #CyberWillyWave. One way to avoid being quoted in the media, unlocked!
I've identified a way to establish if a box is vulnerable to #CyberWillyWave and started internet scanning, 90k boxes in progress.
Results probably at weekend if I'm bored or early next week.
Spoiler: a lot of orgs don't patch their Cisco edge devices. To be vuln to the full chain you have to be over a year behind with updates... and most orgs are over a year behind.
From #CyberWillyWave scanning at weekend:
45210 ASAs with WebVPN enabled
1250 ASAs patched for all three CVEs
43960 vulnerable ASAs remaining
97.24% remain vulnerable
Scans rerunning
The good news with that one btw is it's unlikely to become a thing e-crime groups exploit as it's too technically complex, it's just nation state espionage - so the operational impact should be low.
The bad news is that as e-crime groups become more rich, they may invest in AnyConnect exploits - if you paid something like $2m for an ASA exploit, you'd make it back no problem, even if an n-day as almost nobody patches.
*.gov.uk is less than 1% patched btw, many of the systems haven't been patched for years - the dates are firmware versions. The US federal government is only marginally better. I'm guessing orgs don't even know where they have ASA.
The plan is to start publishing the data publicly since I don't think anybody has an understanding of what the real world looks like.
I had to restart the #CyberWillyWave ASA scan as my server restarted (RIP), but it looks a bit better today - approx. 10% patched now, 5 days in.
My Cisco ASA firmware versions scan is now public: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the firmware was complied August 2025 or later.
New scan running now, results at weekend.
It gives you a very good indication as to how regularly orgs patch, e.g.
Gotta make sure we buy magic boxes to defend against AI GenV cyber mega attacks and quantum
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results at midweek.
Patch rates are still below 20%.
Edit: #CyberWillyWave
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,Errors
Dates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results at weekend.
Patch rates are at 22% complete, two weeks in.
Y'all probably want to patch.
Alan Miller 
🇺🇦@GossiTheDog I think you have a typo, compiled August 2025 or *earlier* (not later)
Jason Schwarz@GossiTheDog Hmmm....all of my boxes are still missing from the list (they are patched on 9.23.1.19). You can DM me if you want any IP/hostnames as samples.
Wouter Hindriks@GossiTheDog Can you share which file you query to get the firmware date?
Deejacker@GossiTheDog With blockchain?
Grant@GossiTheDog cheers Kev, appreciated.
The Lack Thereof 
@GossiTheDog
Enterprises don't patch shit.
Srsly. My job is software for enterprise-scale storage systems, and all the data we get from the field says that our median customer is parked on a release from, like, 2018. They only upgrade if they do a hardware expansion and the new hardware is incompatible with the old release.
Because there's this attitude of "if you don't touch it, it won't break"
Tom@GossiTheDog thank you, can you share what date you started your scan on for that data?
@GossiTheDog Odd, all 5 of my units are public facing and several of them are on port 443 with SSL VPN enabled...but they didn't make the list.
Marius Kießling@GossiTheDog would you mind sharing the methodology that you used to fingerprint the firmware modification date now that you published your list? I’d love to see if my new employer is also still vulnerable 🤭
@GossiTheDog hey Kevin, are there any plans to drop the output of your scan onto your GitHub repo?
Tobias Fiebig@GossiTheDog Aww... ASA. One of my favorites during the MPG security scan. ;-P
.oO( for some impressions: https://pure.mpg.de/pubman/faces/ViewItemOverviewPage.jsp?itemId=item_3532055 / https://doi.org/10.17617/2.3532055 )
piofthings@GossiTheDog problem with outsourcing and contract sourcing… there is no “ownership” anywhere! It was originally built to delegate responsibily, well, what goes around comes around!
VessOnSecurity@GossiTheDog Do publish the data. I'm interested, at least in the part that reflects my country. I'll alert the relevant orgs. Not that it would help much but it's my duty.
The Penguin of Evil@GossiTheDog probably their response will be to label cyberwillywave a terrorist threat 😐
fuzzyfuzzyfungus@GossiTheDog I'm curious if any of the more offense-oriented feds are either thinking about(or have quietly already started) just unmanged service provider-ing unpatched friendly entities.
It'd almost certainly be legally dubious; but has to be someone at the NSA/GCHQ/etc who is just tearing their hair out knowing that someone is going to run the exploit; and if it were them they could either patch or brick to get the hole closed; while others will likely be worse.
penguin42@GossiTheDog I guess you could ask NCSC to comment?
The individual councils (bexley etc) are probably impossible for anyone to push, but you'd think *someone* should be looking after justice.gov.uk
The individual councils (bexley etc) are probably impossible for anyone to push, but you'd think *someone* should be looking after justice.gov.uk
Fink 
@GossiTheDog How much of your diet is popcorn? 🙈
I love this, so I
Interpipes 💙@GossiTheDog ...only 1,250? We're responsible for 4 of those 🤣
Dr. Christopher Kunz@GossiTheDog For a second, I read "45210 ASs" and thought "we're cooked." We still are, but marginally less, I guess.
@GossiTheDog did you end up fingerprinting the version and just back solving from there if a system is vulnerable or directly testing for the vulnerability?
OnlyMe@GossiTheDog For covert willy waving, you should use #DarkBlockchainCyberWillyWave
Face Thumb@GossiTheDog Congratulations to our very own Kevina Beaumonta!
@GossiTheDog keep up with the naming conventions, it makes the communication at work much more fun 😆
Lowlands@GossiTheDog Kevina Beaumonta!
Clemens Zauner@GossiTheDog To be fair, Cisco have an old reputation that it's unwise to change an IOS which has been found to be working.
Big C has improved a lot on this front, but they had decades to ingrain a disdain for touching the IOS unless absolutely necessary in any packet plumber.
root@GossiTheDog missed the one before this toot
@GossiTheDog Cisco TAC is telling me that IPSec should not be impacted (as expected), but it seems that changing to IPSec is not very trivial 😭
Stadler BLÅHAJ Evo 
@GossiTheDog missed one post (HEAD~2 relative to this post)
hal8999@GossiTheDog ASA patches often broke things. Not great for 24/7 VPN tunnels or remote access to infrastructure. SOP was patch when CISA said the sky was falling. Then remediate all of the discrepancies between old/new and GUI/cli.
I don't use them any more, but still have old ones that really need to be recycled, lest they be re-purposed by some cheapskate (me included).
Same can be said for Sonicwalls. Especiallly small businesses without staff. Some MSPs won't patch them unless somebody screams about it.
Alexander Bochmann@GossiTheDog Cisco ASA EOL timeline has been announced like 2021? Sure, HW support until next year, but orgs who still haven't replaced the platform now are running it awfully close (with probably no one left to do it anyway).
@GossiTheDog yeah I wasn't sure what the takeaway really was with secure boot / trust anchors. Seems like if the firmware is RCEable just because they can't install persistence it doesn't stop them manipulating the configuration.
apth@GossiTheDog @greynoise oh man, I just got to drop the BEST "I told you so" at work
@GossiTheDog @shodan You think the Bulgarian Council of Ministers producing 10 hits would be a cause for concern?
Nahh, it's probably fine. Nothing critical - just the ruling government body that doesn't do anything useful anyway.
Syntax
starkzarn 
@GossiTheDog where are you getting the "unauth" data from? I still haven't seen anything from Cisco or any other threat intel sources that show that.
I look forward to your write-up/scan results/whatever. I'm just curious about the unauth portion, because that's a huge gap and the responsibility of Cisco to bear.
Chris Harold
David Penington@GossiTheDog My impression is that Cisco AnyConnect has had a stream of exploited vulnerabilities over the last 5 years. I've been very glad my employer moved off if.
ocdtrekkie@GossiTheDog Are there any exciting vulnerabilities for ASAs that do not have any VPN enabled?