Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades.
These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Cisco discloses email appliance zero-day with no patch available
On Dec. 17, Cisco publicly disclosed CVE-2025-20393, a critical 10.0-severity zero-day affecting email security appliances, and said no patch was yet available. The company advised customers to identify exposed systems and take Spam Quarantine offline while a permanent fix was being developed.
GreyNoise observes mass brute-force campaign against VPNs
GreyNoise detected an automated credential-spraying campaign from more than 10,000 IP addresses that generated over 1.7 million authentication sessions against Palo Alto GlobalProtect VPNs before shifting to Cisco SSL VPNs. The activity was assessed as large-scale brute forcing to identify weakly protected edge systems.
Attackers deploy Aqua malware and Chisel in Cisco email campaign
In the email appliance intrusions, the threat actor used the zero-day to run system commands and deploy tooling including Chisel and the Aqua malware family — AquaShell, AquaPurge, and AquaTunnel — to maintain access and evade detection. Cisco Talos noted overlaps with Chinese threat groups including APT41 and UNC5174.
Cisco email appliance zero-day exploitation starts
Cisco Talos said a separate threat actor, UAT-9686, had been exploiting CVE-2025-20393 in Cisco email security appliances since at least late November 2025. The zero-day affects AsyncOS systems with Spam Quarantine enabled and Internet-exposed, allowing root-level command execution.
Cisco and CISA issue emergency guidance on ArcaneDoor
Cisco released security advisories and CISA issued Emergency Directive 25-03 requiring immediate remediation for the ArcaneDoor firewall zero-days. Security vendors, including FortiGuard, also published detection and mitigation guidance for affected organizations.
ArcaneDoor exploitation begins against Cisco ASA and FTD firewalls
A campaign tracked as ArcaneDoor began actively exploiting three Cisco firewall zero-days — CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 — to achieve unauthenticated remote code execution and persistent access on ASA and FTD devices. The activity was attributed to UAT4356/Storm-1849 and described as espionage-focused targeting of perimeter network infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco AsyncOS CVE-2025-20393 Zero-Day Exploited Against Secure Email Appliances
Cisco released fixes for a maximum-severity vulnerability in *AsyncOS* (tracked as **CVE-2025-20393**, **CVSS 10.0**) affecting **Cisco Secure Email Gateway (SEG)** and **Secure Email and Web Manager (SEWM)** appliances. Cisco reported the issue was exploited as a zero-day in attacks against a limited subset of internet-exposed appliances, enabling attackers to execute arbitrary commands with **root** privileges on the underlying operating system. The flaw was attributed to insufficient HTTP request validation in the **Spam Quarantine** feature, allowing crafted HTTP requests to trigger root-level command execution. Cisco and Cisco Talos attributed the exploitation activity to **UAT-9686**, described as a China-linked threat group, with activity observed since at least late November 2025 and detected by Cisco on December 10. Cisco stated the intrusions included deployment of a **persistence mechanism** to maintain control over compromised appliances, and indicated that the released software updates both remediate the vulnerability and remove related persistence mechanisms; Cisco urged affected customers to upgrade to fixed releases per the updated advisory.
Apr 14, 2026
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026
Exploitation of Cisco ASA and FTD Zero-Day Vulnerabilities by Storm-1849
Cisco confirmed that attackers have been actively exploiting two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. These vulnerabilities allow attackers to execute arbitrary code as root and access restricted URLs without authentication, leading to device reloads and denial-of-service (DoS) conditions. The U.K. National Cyber Security Centre (NCSC) and Cisco have linked these exploits to malware campaigns involving RayInitiator and LINE VIPER, and have urged immediate patching. Security advisories highlight that unpatched devices are at risk of persistent compromise, and recommend comprehensive remediation steps including patching, forensic analysis, and resetting credentials. Threat intelligence reports attribute the exploitation campaign to the China-linked group Storm-1849 (ArcaneDoor), which targeted U.S. financial institutions, defense contractors, and military organizations throughout October. Despite public disclosure and patch directives from CISA, attacks continued, demonstrating the attackers' operational sophistication and persistence. Experts warn that organizations running unpatched ASA devices should assume compromise and prioritize forensic hunting for ROM-level malware, as well as implement robust monitoring and maintenance practices to mitigate ongoing risks.
Apr 25, 2026