Emerging Threathighexperimental

Cisco ASA Exploitation Activity - Proxy

Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Nov 2015697955-6a29-47ca-92e9-0e05efae32602025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-method: 'GET'
        cs-uri-stem:
            - '/+CSCOU+/MacTunnelStart.jar'
            - '/+CSCOL+/csvrloader64.cab'
            - '/+CSCOL+/csvrloader.jar'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

x.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2025-20333cve.2025-20362detection.emerging-threats

Rule Metadata

Rule ID

15697955-6a29-47ca-92e9-0e05efae3260

Status

experimental

Level

high

Type

Emerging Threat

Created

Thu Nov 20

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml

Raw Tags

attack.initial-accessattack.t1190cve.2025-20333cve.2025-20362detection.emerging-threats

View on GitHub