Cisco AsyncOS CVE-2025-20393 Zero-Day Exploited Against Secure Email Appliances
Cisco released fixes for a maximum-severity vulnerability in AsyncOS (tracked as CVE-2025-20393, CVSS 10.0) affecting Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco reported the issue was exploited as a zero-day in attacks against a limited subset of internet-exposed appliances, enabling attackers to execute arbitrary commands with root privileges on the underlying operating system. The flaw was attributed to insufficient HTTP request validation in the Spam Quarantine feature, allowing crafted HTTP requests to trigger root-level command execution.
Cisco and Cisco Talos attributed the exploitation activity to UAT-9686, described as a China-linked threat group, with activity observed since at least late November 2025 and detected by Cisco on December 10. Cisco stated the intrusions included deployment of a persistence mechanism to maintain control over compromised appliances, and indicated that the released software updates both remediate the vulnerability and remove related persistence mechanisms; Cisco urged affected customers to upgrade to fixed releases per the updated advisory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Cisco Talos attributes campaign to UAT-9686 and reveals tooling
With the patch release, Cisco Talos publicly attributed the intrusions to UAT-9686 and disclosed technical details of the campaign, including the use of AquaShell, AquaTunnel, AquaPurge, and Chisel. Cisco also said its investigation had found evidence of persistence on compromised appliances.
Cisco releases patches for exploited AsyncOS flaw
On January 15, 2026, Cisco released software updates for affected AsyncOS versions to fix CVE-2025-20393 in Secure Email Gateway and Secure Email and Web Manager appliances. Cisco said the updates also remove installed persistence mechanisms and urged customers to upgrade to fixed releases.
CISA adds CVE-2025-20393 to the KEV catalog
CISA added the actively exploited Cisco AsyncOS vulnerability to its Known Exploited Vulnerabilities catalog in December 2025. Federal agencies were directed to mitigate the issue on an accelerated timeline.
Cisco discloses CVE-2025-20393 and publishes workarounds
On December 17, 2025, Cisco publicly disclosed the maximum-severity AsyncOS vulnerability CVE-2025-20393 and issued an advisory with mitigations while a full fix was still unavailable. The company warned that the flaw was under active exploitation as a zero-day.
Cisco becomes aware of active attacks on CVE-2025-20393
Cisco said it first became aware on December 10, 2025 that attackers were exploiting the AsyncOS flaw in the wild. The activity included root command execution and the installation of persistence on compromised appliances.
UAT-9686 begins exploiting AsyncOS zero-day
Cisco Talos assessed that the China-linked threat group UAT-9686 had been exploiting CVE-2025-20393 against a limited subset of internet-exposed Cisco Secure Email Gateway and Secure Email and Web Manager appliances since at least late November 2025. The attacks targeted systems with the Spam Quarantine feature enabled and exposed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Cisco patches 10.0 bug in leading AsyncOS email products | SC Media
scworld.com
Open sourceCisco fixes AsyncOS vulnerability exploited in zero-day attacks (CVE-2025-20393) - Help Net Security
helpnetsecurity.com
Open sourceCisco Finaly Patches Critical AsyncOS Zero-Day: CVE-2025-20393 - TheCyberThrone
thecyberthrone.in
Open sourceChina-linked APT UAT-9686 abused now patched maximum severity AsyncOS bug
securityaffairs.com
Open sourceCisco finally patches seven-week-old zero-day flaw in Secure Email Gateway products | CSO Online
csoonline.com
Open sourceKriittinen haavoittuvuus Cisco Secure Email Gateway ja Secure Email and Web Manager -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceCisco finally fixes max-severity bug under attack for weeks • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
Mar 21, 2026
Targeted Exploitation of Cisco Secure Email Gateway and Web Manager by UAT-9686
Cisco has confirmed that a sophisticated cyberattack campaign is actively targeting a subset of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS Software. The attackers are exploiting a critical vulnerability, tracked as CVE-2025-20393, which allows them to execute arbitrary commands with root privileges on affected systems. Cisco's investigation has revealed that the threat actors have deployed a persistence mechanism to maintain control over compromised appliances, and there are currently no available workarounds. Customers are strongly advised to follow Cisco's mitigation guidance to assess exposure and reduce risk. Cisco Talos has attributed this campaign to a Chinese-nexus advanced persistent threat (APT) group, tracked as UAT-9686. The attackers have deployed a custom Python-based backdoor called "AquaShell," along with additional tools for reverse tunneling and log purging, such as AquaTunnel and AquaPurge. The campaign has been ongoing since at least late November 2025 and primarily affects appliances with non-standard configurations exposed to the internet. The attack highlights the importance of securing management interfaces and promptly applying vendor-recommended mitigations to prevent further compromise.
Mar 21, 2026
Cisco SD-WAN Zero-Day Exploited to Add Rogue Peers and Gain Persistent Root Access
Cisco and multiple government cyber agencies warned that attackers are actively exploiting **CVE-2026-20127**, a critical `CVSS 10.0` authentication bypass in **Cisco Catalyst SD-WAN Controller** and **Catalyst SD-WAN Manager**. The flaw affects the peering authentication process and lets unauthenticated remote attackers gain administrative access, use `NETCONF`, and alter SD-WAN fabric configuration, including adding **malicious rogue peers**. Cisco Talos attributed the activity to a sophisticated cluster tracked as **UAT-8616**, with evidence suggesting exploitation dates back to at least 2023 and has affected high-value targets, including critical infrastructure and government networks. Investigators said the intrusions often continued with a downgrade of the appliance software to exploit **CVE-2022-20775** for **root** privilege escalation, after which the original version was restored to help conceal the compromise while maintaining persistence. In response, **CISA** added both CVEs to the **Known Exploited Vulnerabilities** catalog and issued **Emergency Directive 26-03** for U.S. federal civilian agencies, while the **UK NCSC**, **ACSC**, **Canadian Centre for Cyber Security**, and other partners released joint hunting and hardening guidance. Cisco said there are **no complete workarounds**, urged immediate upgrades to fixed releases, and advised defenders to review peering events, SSH key activity, version history, and logs for signs of tampering or unauthorized access.
Apr 21, 2026