If you like China goes brr and cyber willy waves, today will be a good day
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Sep-2025 22:55:07 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:11:38 JST
Kevin Beaumont
These are really important to patch btw, it's unauth RCE in Cisco AnyConnect/ASA. China goes brrr, expect the interweb to get plastered with details soon.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:11:40 JST
Kevin Beaumont
Two new CVEs for Cisco AnyConnect
CVE-2025-20333
CVE-2025-20363First is under active exploitation
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:16:22 JST
Kevin Beaumont
To find your org on .@shodan search for:
"acSamlv2Error=" "webvpnc=" "Cache-Control: no-store"
Then add org:YourOrg or ssl:YourOrg
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:19:32 JST
Kevin Beaumont
And yes, @greynoise caught #CyberWillyWave as soon as it started. https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:40:56 JST
Kevin Beaumont
CISA blog on #CyberWillyWave https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:43:43 JST
Kevin Beaumont
Fixed versions, get to the ones highlighted in yellow ASAP as china goes double brr now
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:43:44 JST
Kevin Beaumont
Cisco blog on #CyberWillyWave https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
-
Embed this notice
Tom Sellers (tomsellers@infosec.exchange)'s status on Friday, 26-Sep-2025 01:47:19 JST 
Tom Sellers
@GossiTheDog It looks like CISA typo'd one of the CVEs. They use CVE-2025-30333 instead of CVE-2025-20333.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 01:47:45 JST
Kevin Beaumont
If you're on an unsupported ASA release you want to put it in the bin. If it didn't have secure boot, woops.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 02:15:05 JST
Kevin Beaumont
If anybody knows anybody at CISA, they have wrong/non-existent CVE on their executive order thingy, it's a typo that needs fixing.
With the Cisco blog, it reads like there is no problem.. but like, RCE vuln is RCE and still a problem.
Just because secure boot works (yay btw) doesn't mean there's no problem - of course they'll be no evidence on the box.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 02:30:20 JST
Kevin Beaumont
Interestingly, although the Cisco blog says the USG approached them in May 2025, then first vuln - CVE-2025-20333 - was fixed just over a year ago (around September 2024 product updates).
Another angle to that - it suggests a whole lot of orgs don't patch Cisco ASA edge devices. Which we already know from the Akira ransomware incidents -- which were using 5 year old vulns.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 26-Sep-2025 03:13:01 JST
Kevin Beaumont
Just remembered I hashtagged all this #CyberWillyWave. One way to avoid being quoted in the media, unlocked!
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Sep-2025 02:26:34 JST
Kevin Beaumont
I've identified a way to establish if a box is vulnerable to #CyberWillyWave and started internet scanning, 90k boxes in progress.
Results probably at weekend if I'm bored or early next week.
Spoiler: a lot of orgs don't patch their Cisco edge devices.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Sep-2025 16:54:26 JST
Kevin Beaumont
Damn it, using #CyberWillyWave to hide online didn’t work
-
Embed this notice
OnlyMe (dezz@infosec.exchange)'s status on Saturday, 27-Sep-2025 18:07:26 JST 
OnlyMe
@GossiTheDog For covert willy waving, you should use #DarkBlockchainCyberWillyWave
-
Embed this notice
Face Thumb (chrisp@cyberplace.social)'s status on Saturday, 27-Sep-2025 19:45:10 JST 
Face Thumb
@GossiTheDog Congratulations Kevina Beaumonta!
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Sep-2025 19:30:27 JST
Kevin Beaumont
The good news with that one btw is it's unlikely to become a thing e-crime groups exploit as it's too technically complex, it's just nation state espionage - so the operational impact should be low.
The bad news is that as e-crime groups become more rich, they may invest in AnyConnect exploits - if you paid something like $2m for an ASA exploit, you'd make it back no problem, even if an n-day as almost nobody patches.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Sep-2025 19:30:29 JST
Kevin Beaumont
From #CyberWillyWave scanning at weekend:
45210 ASAs with WebVPN enabled
1250 ASAs patched for all three CVEs
43960 vulnerable ASAs remaining97.24% remain vulnerable
Scans rerunning
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Sep-2025 19:40:30 JST
Kevin Beaumont
*.gov.uk is less than 1% patched btw, many of the systems haven't been patched for years - the dates are firmware versions. The US federal government is only marginally better. I'm guessing orgs don't even know where they have ASA.
The plan is to start publishing the data publicly since I don't think anybody has an understanding of what the real world looks like.
-
Embed this notice
fuzzyfuzzyfungus (fuzzyfuzzyfungus@cyberplace.social)'s status on Monday, 29-Sep-2025 22:16:17 JST 
fuzzyfuzzyfungus
@GossiTheDog I'm curious if any of the more offense-oriented feds are either thinking about(or have quietly already started) just unmanged service provider-ing unpatched friendly entities.
It'd almost certainly be legally dubious; but has to be someone at the NSA/GCHQ/etc who is just tearing their hair out knowing that someone is going to run the exploit; and if it were them they could either patch or brick to get the hole closed; while others will likely be worse.
-
Embed this notice
penguin42 (penguin42@mastodon.org.uk)'s status on Monday, 29-Sep-2025 22:40:47 JST 
penguin42
@GossiTheDog I guess you could ask NCSC to comment?
The individual councils (bexley etc) are probably impossible for anyone to push, but you'd think *someone* should be looking after justice.gov.uk -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 01-Oct-2025 00:55:46 JST
Kevin Beaumont
I had to restart the #CyberWillyWave ASA scan as my server restarted (RIP), but it looks a bit better today - approx. 10% patched now, 5 days in.
-
Embed this notice
:linux: StarkZarn :verified: (starkzarn@infosec.exchange)'s status on Wednesday, 01-Oct-2025 01:20:09 JST 
:linux: StarkZarn :verified:
@GossiTheDog where are you getting the "unauth" data from? I still haven't seen anything from Cisco or any other threat intel sources that show that.
I look forward to your write-up/scan results/whatever. I'm just curious about the unauth portion, because that's a huge gap and the responsibility of Cisco to bear.
-
Embed this notice
:linux: StarkZarn :verified: (starkzarn@infosec.exchange)'s status on Wednesday, 01-Oct-2025 01:26:15 JST
:linux: StarkZarn :verified:
@GossiTheDog
https://www.cve.org/CVERecord?id=CVE-2025-20333"...could allow an authenticated, remote attacker to..."
what am I missing?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 02-Oct-2025 22:00:29 JST
Kevin Beaumont
My Cisco ASA firmware versions scan is now public: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,ErrorsDates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave
New scan running now, results at weekend.
It gives you a very good indication as to how regularly orgs patch, e.g.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 02-Oct-2025 22:18:50 JST
Kevin Beaumont
Gotta make sure we buy magic boxes to defend against AI GenV cyber mega attacks and quantum
-
Embed this notice
Grant (gl0ck@infosec.exchange)'s status on Thursday, 02-Oct-2025 22:25:35 JST 
Grant
@GossiTheDog cheers Kev, appreciated.
-
Embed this notice
Deejacker (deejacker@infosec.exchange)'s status on Thursday, 02-Oct-2025 23:56:26 JST 
Deejacker
@GossiTheDog With blockchain?
-
Embed this notice
Jason Schwarz (jason@mastodon.lothlorien.net)'s status on Friday, 03-Oct-2025 05:38:35 JST 
Jason Schwarz
@GossiTheDog Odd, all 5 of my units are public facing and several of them are on port 443 with SSL VPN enabled...but they didn't make the list.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 06-Oct-2025 06:33:18 JST
Kevin Beaumont
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,ErrorsDates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the firmware was complied August 2025 or later.
New scan running now, results at midweek.
Patch rates are still below 20%.
-
Embed this notice
Alan Miller :verified_paw: 🇺🇦 (fencepost@infosec.exchange)'s status on Monday, 06-Oct-2025 08:00:45 JST 
Alan Miller :verified_paw: 🇺🇦
@GossiTheDog I think you have a typo, compiled August 2025 or *earlier* (not later)
-
Embed this notice
Alan Miller :verified_paw: 🇺🇦 (fencepost@infosec.exchange)'s status on Monday, 06-Oct-2025 08:20:31 JST
Alan Miller :verified_paw: 🇺🇦
@GossiTheDog the way it reads right now the vulnerability is introduced in the newer firmware updates.
-
Embed this notice
coughka_esque (coughka_esque@infosec.exchange)'s status on Wednesday, 08-Oct-2025 21:52:22 JST 
coughka_esque
@GossiTheDog I think the FirmwareModifiedDate might use some tweaking. We patched to 16.4.85 and the compiled date is 28 August 2025. I could be missing something here, though.
-
Embed this notice
Jernej Simončič � (jernej__s@infosec.exchange)'s status on Wednesday, 08-Oct-2025 21:55:05 JST 
Jernej Simončič �
@GossiTheDog A client of mine (that I first notified on September 25th) finally patched after they were nudged by their upstream. Funnily enough, their firewall contractor is still running firmware from 2023 according to your scan :)
-
Embed this notice
RichBartlett :donor: (richbartlett@infosec.exchange)'s status on Wednesday, 08-Oct-2025 22:06:15 JST 
RichBartlett :donor:
@GossiTheDog The Guardian probably want to get on that too, given what happened last time!
-
Embed this notice
:(){ :|:& };: (atragicending@cyberplace.social)'s status on Wednesday, 08-Oct-2025 22:16:12 JST 
:(){ :|:& };:
@GossiTheDog Can't let HR see this, they'll be pushing for mandatory 5/5 days at the office 😢
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Wednesday, 08-Oct-2025 22:21:41 JST 
System Adminihater
@GossiTheDog Would be nice if you also listed how expensive it was just to get the firmware updates from Cisco.
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Wednesday, 08-Oct-2025 22:59:06 JST
System Adminihater
@GossiTheDog Wrong, a billion dollars per machine. :)
-
Embed this notice
ReadyPlayer80s (readyplayer80s@cyberplace.social)'s status on Wednesday, 08-Oct-2025 23:14:25 JST
ReadyPlayer80s
@GossiTheDog our intel partner just notified us of our ASA appearing in your repository. What frequency is the scan. Ours are patched now but it’s raising questions about another 3rd party 🤦🏻♂️
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 09-Oct-2025 00:38:25 JST
Kevin Beaumont
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,ErrorsDates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25 or */09/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results at weekend.
Patch rates are at 22% complete, two weeks in.
Y'all probably want to patch.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 09-Oct-2025 00:39:18 JST
Kevin Beaumont
If anybody is wondering, number of Cisco ASA devices with WebVPN enabled with their firmware year:
2025 - 10570
2024 - 12428
2023 - 3888
2022 - 4594
2021 - 3951
2020 - 2076The average is orgs are around 18 months behind with patching (for internet facing).
-
Embed this notice
Rob D (robdee@cyberplace.social)'s status on Thursday, 09-Oct-2025 01:38:11 JST
Rob D
@GossiTheDog thanks, there’s some interesting ones in there like dc.vpn.cisco.com.
Just to double check my understanding, the list is everything running potentially vulnerable services and you need to filter out the patched ones from the list?
-
Embed this notice
Rob D (robdee@cyberplace.social)'s status on Thursday, 09-Oct-2025 02:32:07 JST
Rob D
@GossiTheDog thanks
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 09-Oct-2025 04:28:33 JST
Kevin Beaumont
If anybody is wondering how these scans are generated - one time @shodan search for AnyConnect boxes, export, then vibe coded scanner that fingerprints firmware creation date using the SSL applet and outputs to CSV.
About 40% of orgs are missing from results as they are clientless.
There’s much better ways of doing it.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 09-Oct-2025 20:58:21 JST
Kevin Beaumont
Those Cisco ASA vulns continue to be patched at a slow rate.
UK orgs, sign up for the NCSC Early Warning system and actually patch your systems when notified.
https://www.ncsc.gov.uk/section/active-cyber-defence/early-warning
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 13-Oct-2025 01:41:31 JST
Kevin Beaumont
My Cisco ASA firmware versions scan is now updated: https://github.com/GossiTheDog/scanning/blob/main/Cisco-ASA-firmware-updates-CVE-2025-20333-CVE-2025-20363-CVE-2025-20362.csv
Fields:
IP,hostnames,FirmwareVersionKnown,FirmwareModifiedDate,ErrorsDates are UK date format - DD/MM/YY
If FirmwareModifiedDate is below */08/25, the device is vulnerable to #CyberWillyWave as the fixed firmware was complied August 2025 or later.
New scan running now, results on probably Wednesday.
Patch rates are at 25% complete, two weeks in.
Y'all probably want to patch.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 13-Oct-2025 07:12:10 JST
Kevin Beaumont
Btw - one observation from the #CyberWillyWave ASA data - less devices respond each time I scan. They’re not blocking me - the devices are just offline.
I know a few regional CERTs have been using the data to inform orgs to patch, I think what’s happening is orgs are finding they have old devices and are nuking them. I’m free attack surface management!
-
Embed this notice
theHastyOne (ahasty@techhub.social)'s status on Thursday, 16-Oct-2025 04:21:34 JST 
theHastyOne
@GossiTheDog do you share the IP you are scanning from..trying to build a correlation of what i have logged from know scanners vs possible attacks
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 28-Oct-2025 20:50:56 JST
Kevin Beaumont
An observation from CVE-2025-20333 (Cisco ASA AnyConnect vuln) - orgs just don't patch ASA.
The patch rate is really, really poor - ransomware groups are likely going to reinvest in targeting Cisco ASA product security, even just n-days, as realistically tens of thousands of organisations are years behind with patching their edge VPN appliances -- it's an open door into the world's largest companies.
-
Embed this notice
Alexandre Dulaunoy (adulau@infosec.exchange)'s status on Tuesday, 28-Oct-2025 20:58:18 JST 
Alexandre Dulaunoy
@GossiTheDog I’m just wondering are you sure of the test? I remember we got trapped in an ASA scanning script which was expecting an HTTP 200 while the patch gives a redirect but this was also a 200.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 07-Nov-2025 08:15:35 JST
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 07-Nov-2025 08:45:19 JST
Kevin Beaumont
If anybody is wondering, yes, the Congressional Budget Office Cisco AnyConnect box in the scan results was over a year behind with patching, and yes it was (and is) shut down - I understand it was the entry point of their incident. I had told them.
-
Embed this notice
Tobias Fiebig (tfiebig@wybt.net)'s status on Friday, 07-Nov-2025 09:02:50 JST 
Tobias Fiebig
@GossiTheDog to be fair... the government shutdown was _not_ the issue for the 2023 one...
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 13-Nov-2025 21:13:11 JST
Kevin Beaumont
CISA are warning US government organisations they still haven't patched for #CyberWillyWave. Which is true. New scan data coming at the weekend.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 20-Nov-2025 03:43:03 JST
Kevin Beaumont
New Cisco ASA #CyberWillyWave scan
Rescan happening now too, results probably Friday.
-
Embed this notice
gwire (gwire@mastodon.social)'s status on Thursday, 20-Nov-2025 04:02:33 JST 
gwire
@GossiTheDog You should probably add a column for "vulnerable" instead of relying on people to mentally parse a UK dd/mm/yy date.
-
Embed this notice
gwire (gwire@mastodon.social)'s status on Thursday, 20-Nov-2025 04:48:44 JST
gwire
@GossiTheDog not only is there a UK central gov domain with two vulnerable servers, they're *still* using their organisation's old domain name. So disappointing.
-
Embed this notice
gwire (gwire@mastodon.social)'s status on Thursday, 20-Nov-2025 04:48:44 JST
gwire
@GossiTheDog there's a UK mobile network that hasn't patched since 2020. That can't be good.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 24-Nov-2025 23:28:06 JST
Kevin Beaumont
If anybody knows anybody at SitusAMC, they probably want to patch AnyConnect as they're on firmware from over a year ago as of today.
root@serenity:~# cat scannyany9.txt | grep situ
150.221.36.140,*.situsamc.com|situsamc.com,YES,14/03/24,N/A -
Embed this notice
Brian Clark (deepthoughts10@infosec.exchange)'s status on Wednesday, 26-Nov-2025 09:21:06 JST 
Brian Clark
@GossiTheDog you sure they are not just blocking your scanner?
-
Embed this notice
All GNU social JP content and data are available under the