Kevin BeaumontIf you like China goes brr and cyber willy waves, today will be a good day
Three new CVEs for Cisco AnyConnect/ASA
CVE-2025-20333
CVE-2025-20363
CVE-2025-20362
Chained and under active exploitation since earlier in the year
These are really important to patch btw, it's unauth RCE in Cisco AnyConnect/ASA and yes - zero day, despite the wording. China goes brrr, expect the interweb to get plastered with details soon. #CyberWillyWave
To find your org on .@shodan search for:
"acSamlv2Error=" "webvpnc=" "Cache-Control: no-store"
Then add org:YourOrg or ssl:YourOrg
And yes, @greynoise caught #CyberWillyWave as soon as it started. https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming
GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day.
Fixed versions, get to the ones highlighted in yellow ASAP as china goes double brr now
If you're on an unsupported ASA release you want to put it in the bin. If it didn't have secure boot, woops.
If anybody knows anybody at CISA, they have wrong/non-existent CVE on their executive order thingy, it's a typo that needs fixing. Edit: fixed.
With the Cisco blog, it reads like there is no problem.. but like, RCE vuln is RCE and still a problem.
Just because secure boot works (yay btw) doesn't mean there's no problem - of course they'll be no evidence on the box.
Interpipes 💙@GossiTheDog yeah I wasn't sure what the takeaway really was with secure boot / trust anchors. Seems like if the firmware is RCEable just because they can't install persistence it doesn't stop them manipulating the configuration.