Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
Sigma rule (View on GitHub)
1title: Cisco ASA Exploitation Activity - Proxy
2id: 15697955-6a29-47ca-92e9-0e05efae3260
3status: experimental
4description: |
5 Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
6references:
7 - https://x.com/defusedcyber/status/1971492272966598683
8author: Swachchhanda Shrawan Poudel (Nextron Systems)
9date: 2025-11-20
10tags:
11 - attack.initial-access
12 - attack.t1190
13 - cve.2025-20333
14 - cve.2025-20362
15 - detection.emerging-threats
16logsource:
17 category: proxy
18detection:
19 selection:
20 cs-method: 'GET'
21 cs-uri-stem:
22 - '/+CSCOU+/MacTunnelStart.jar'
23 - '/+CSCOL+/csvrloader64.cab'
24 - '/+CSCOL+/csvrloader.jar'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Apache Spark Shell Command Injection - ProcessCreation
- Atlassian Confluence CVE-2022-26134
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647
- Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process