Cisco AsyncOS CVE-2025-20393 Zero-Day Exploited Against Secure Email Appliances
Cisco released fixes for a maximum-severity vulnerability in AsyncOS (tracked as CVE-2025-20393, CVSS 10.0) affecting Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco reported the issue was exploited as a zero-day in attacks against a limited subset of internet-exposed appliances, enabling attackers to execute arbitrary commands with root privileges on the underlying operating system. The flaw was attributed to insufficient HTTP request validation in the Spam Quarantine feature, allowing crafted HTTP requests to trigger root-level command execution.
Cisco and Cisco Talos attributed the exploitation activity to UAT-9686, described as a China-linked threat group, with activity observed since at least late November 2025 and detected by Cisco on December 10. Cisco stated the intrusions included deployment of a persistence mechanism to maintain control over compromised appliances, and indicated that the released software updates both remediate the vulnerability and remove related persistence mechanisms; Cisco urged affected customers to upgrade to fixed releases per the updated advisory.
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
1 more from sources like register security
Related Stories
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
2 months agoTargeted Exploitation of Cisco Secure Email Gateway and Web Manager by UAT-9686
Cisco has confirmed that a sophisticated cyberattack campaign is actively targeting a subset of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS Software. The attackers are exploiting a critical vulnerability, tracked as CVE-2025-20393, which allows them to execute arbitrary commands with root privileges on affected systems. Cisco's investigation has revealed that the threat actors have deployed a persistence mechanism to maintain control over compromised appliances, and there are currently no available workarounds. Customers are strongly advised to follow Cisco's mitigation guidance to assess exposure and reduce risk. Cisco Talos has attributed this campaign to a Chinese-nexus advanced persistent threat (APT) group, tracked as UAT-9686. The attackers have deployed a custom Python-based backdoor called "AquaShell," along with additional tools for reverse tunneling and log purging, such as AquaTunnel and AquaPurge. The campaign has been ongoing since at least late November 2025 and primarily affects appliances with non-standard configurations exposed to the internet. The attack highlights the importance of securing management interfaces and promptly applying vendor-recommended mitigations to prevent further compromise.
2 months agoCritical Vulnerability in Cisco Secure Email Products Added to CISA KEV Catalog
A critical vulnerability, tracked as CVE-2025-20393, has been identified in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager products running any version of AsyncOS with the Spam Quarantine feature enabled and exposed to the internet. Cisco released a security advisory detailing the flaw and urging administrators to review recommendations and apply necessary updates to mitigate the risk. The vulnerability allows for improper input validation, which could be exploited by malicious actors to compromise affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. Federal agencies are required to remediate this vulnerability by the specified deadline, and CISA strongly encourages all organizations to prioritize patching to reduce exposure to cyberattacks. The inclusion of this vulnerability in the KEV Catalog highlights its significance as a frequent attack vector and underscores the urgent need for remediation across both public and private sectors.
2 months ago