Your Cisco ASA Is Getting Popped Right Now. Here's How to Block It in 5 Minutes.

Patrick Duggan
Mar 17
4 min read

Updated: Apr 25

48 Vulnerabilities. 25 Advisories. One Firewall Platform.

Cisco dropped ERP-75736 on March 4. 25 advisories. 48 vulnerabilities across ASA, FMC, and FTD. Two of them are CVSS 10.0 — unauthenticated root access to your firewall management console.

That's not a security advisory. That's a resignation letter from your perimeter.

Meanwhile, UAT4356 — the state-sponsored group behind ArcaneDoor — has been exploiting ASA zero-days since September 2025. CISA issued Emergency Directive ED 25-03. GreyNoise watched 25,000 IPs scan Cisco ASA login pages in a single week. The normal baseline is 500.

If you're running Cisco ASA, you're a target right now. Not theoretically. Right now.

What's Being Exploited

The active zero-days:

CVE	What It Does	How Bad
CVE-2025-20362	WebVPN auth bypass via path traversal	Critical — trivial to exploit, no auth needed
CVE-2025-20333	WebVPN RCE via heap overflow	Critical — arbitrary code as root
CVE-2025-20363	Related to above	Critical
CVE-2026-20079	FMC auth bypass — root access	CVSS 10.0
CVE-2026-20131	FMC unauthenticated Java code execution	CVSS 10.0

The attackers install RayInitiator — a GRUB bootloader implant that survives reboots AND firmware upgrades. They disable your logging. They intercept your CLI commands. They crash the device to destroy forensic evidence.

This isn't script kiddies. This is a nation-state living in your firewall.

What You Can Do Right Now (5 Minutes)

Step 1: Patch

Obviously. But patching takes change control, maintenance windows, and testing. That's days or weeks. You need protection now.

Step 2: Block Known Attackers at the Perimeter

This is where most guides stop and say "consult your vendor." We're going to actually do it.

If your ASA is the perimeter device that's compromised, you need to block upstream. Use a secondary firewall, your ISP's ACL, or Cloudflare/Zscaler if you have them. Don't trust the compromised device to block its own attacker.

For OPNsense / pfSense (Secondary Firewall or Lab)

Firewall → Aliases → Add
Name: dugganusa_threat_feed
Type: URL Table (IPs)
URL: https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY
Update frequency: 1 day

Firewall → Rules → WAN → Add Action: Block Source: dugganusa_threat_feed Description: DugganUSA STIX IP Blocklist ```

Done. Every known malicious IP in our feed — including the 25,000+ that scanned ASA login pages — blocked at your secondary perimeter. Updates automatically.

For Zscaler ZIA

Administration → Threat Intelligence Feeds → Custom
URL: https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY
Polling: Every 6 hours

Now every user behind your Zscaler proxy is protected from known C2 and scanning infrastructure. The ASA might be compromised — the proxy blocks the callback.

For Splunk ES (Detection + Adaptive Response)

Settings → Data Enrichment → Threat Intelligence → Add New
URL: https://analytics.dugganusa.com/api/v1/stix-feed?format=splunk&api_key=YOUR_KEY
Polling: Every 6 hours

The ?format=splunk parameter delivers observed-data objects that Splunk ES ingests natively. No translation layer. No custom parsing. Your correlation searches start matching immediately.

Then add an adaptive response action: when a STIX indicator matches network traffic, block the source IP at the firewall via API. Autonomous. No analyst in the loop.

For Palo Alto NGFW (If You Have One Behind the ASA)

Objects → External Dynamic Lists → Add
Name: DugganUSA-STIX-IPs
Type: IP List
Source: https://analytics.dugganusa.com/api/v1/stix-feed/ips.csv?api_key=YOUR_KEY
Repeat: Hourly

Policies → Security → Add Rule Source Zone: Untrust Destination: Any Source Address: DugganUSA-STIX-IPs Action: Deny Log: Yes ```

Your Palo Alto blocks every known attacker IP before traffic reaches the vulnerable ASA.

For Cisco ISE (If You're Full Cisco Shop)

Use pxGrid + Threat Intelligence Director to ingest our STIX feed via TAXII 2.1:

Discovery: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2?api_key=YOUR_KEY

ISE pushes policy to the ASA to quarantine matching traffic. You're using Cisco to protect Cisco.

For Any SIEM That Speaks TAXII 2.1

QRadar, Sentinel, Chronicle, Elastic, TheHive, OpenCTI, MISP:

Discovery: https://analytics.dugganusa.com/api/v1/stix-feed/taxii2
Auth: Bearer YOUR_API_KEY

What's In the Feed

Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →

1,014,994 indicators as of this morning. Including:

Known ASA scanning IPs from GreyNoise intelligence
UAT4356/ArcaneDoor infrastructure
Handala/Iran MOIS C2 addresses (the group that just wiped 200K Stryker devices)
Russian exploit infrastructure (PROSPERO OOO — 83% of Ivanti zero-day attacks)
ThreatFox malware hashes, domains, and URLs
DugganUSA honeypot data — what's actively hitting us

Updated continuously. Not daily. Not weekly. Continuously.

The Uncomfortable Truth About Your ASA

Your Cisco ASA is a firewall. It sits at the perimeter. It's supposed to protect everything behind it.

When the firewall itself is compromised, the perimeter doesn't exist anymore. RayInitiator lives in the bootloader. It survives firmware upgrades. The attacker is inside the wall.

Blocking known attacker infrastructure from a second device — a different vendor, a different path — is not defense in depth. It's common sense. Don't trust one device to protect you from everything, especially when that device is the target.

A URL that your secondary firewall can read. A CSV of known bad IPs. Updated every hour. That's what we sell.

Pricing

Free: Register at analytics.dugganusa.com/stix/register — 1 query/day. Enough to check manually.

Starter ($9/month): 500 queries/day. Enough for one SIEM polling every 6 hours.

Professional ($29/month): 5,000 queries/day. Multiple tools, hourly polling.

Enterprise ($499/month): Unlimited. SLA. Dedicated support. Splunk ES native format. We answer the phone.

Pricing: analytics.dugganusa.com/stix/pricing

Code NOTAFAKE for 20% off any tier.

Your ASA is getting popped. The question is whether you find out from your SIEM or from the news.

Need Help?

[email protected]

Tell us what you're running — ASA version, SIEM, secondary firewall — and we'll tell you exactly how to configure the feed. Usually within hours. Two people in Minneapolis who actually care whether your firewall is compromised.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →