Cisco has issued a serious warning after discovering active cyberattacks exploiting a zero-day vulnerability in its AsyncOS software, which powers Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw is already being abused in real-world attacks, making it a high-risk issue for organizations using these products.
The vulnerability, tracked as CVE-2025-20393, has been assigned the maximum CVSS score of 10.0, indicating critical severity. According to Cisco, the flaw allows attackers to gain root-level access and run arbitrary commands on affected systems.
Cisco confirmed that the attacks are being carried out by a China-linked advanced persistent threat (APT) group identified as UAT-9686. The company detected the intrusion campaign on December 10, 2025, but evidence suggests exploitation began as early as late November 2025.
The attackers targeted a limited number of Cisco appliances, mainly those with specific ports exposed to the internet. While Cisco has not disclosed how many customers are affected, the confirmed active exploitation makes this a serious concern for enterprises worldwide.
In its advisory, Cisco stated that the attackers were able to execute commands with full root privileges, giving them deep control over compromised devices. Even more concerning, investigators found evidence that the attackers installed persistent backdoors, allowing them to maintain long-term access.
CVE-2025-20393 is caused by improper input validation in Cisco AsyncOS. This weakness allows threat actors to send specially crafted requests that the system fails to properly sanitize, resulting in privilege escalation and remote command execution.
Importantly, all versions of Cisco AsyncOS are affected. However, successful exploitation requires two specific conditions to be met:
The Spam Quarantine feature must be enabled
The Spam Quarantine service must be accessible from the internet
Cisco noted that Spam Quarantine is not enabled by default, which reduces risk for some users. Still, organizations that enabled the feature without restricting internet access are particularly vulnerable.
Cisco advised administrators to verify whether the Spam Quarantine feature is active by following these steps:
Log in to the web management interface
Navigate to:
Network > IP Interfaces (for Secure Email Gateway), or
Management Appliance > Network > IP Interfaces (for Secure Email and Web Manager)
Select the interface used for Spam Quarantine
Check whether the Spam Quarantine option is enabled
If it is enabled and exposed externally, immediate action is required.
Cisco’s investigation revealed that UAT-9686 deployed multiple malicious tools after exploiting the zero-day vulnerability. These include:
ReverseSSH (AquaTunnel) – a tunneling tool used to maintain remote access
Chisel – another tunneling utility for bypassing network controls
AquaPurge – a log-cleaning tool used to hide attacker activity
The use of AquaTunnel is significant, as it has previously been linked to well-known Chinese hacking groups such as APT41 and UNC5174.
Attackers also deployed a custom Python-based backdoor named AquaShell. This lightweight backdoor listens for unauthenticated HTTP POST requests containing specially encoded data. Once received, it decodes the data and executes commands directly on the system shell.
This method allows attackers to operate stealthily while avoiding traditional authentication controls.
At the time of disclosure, no security patch is available for CVE-2025-20393. Until Cisco releases a fix, organizations are urged to apply strong mitigation measures to reduce exposure.
Cisco recommends the following actions:
Restrict internet access to the appliance using a firewall
Allow traffic only from trusted IP addresses
Place mail and management services on separate network interfaces
Monitor web and system logs for unusual or suspicious activity
Disable HTTP access for the main administrator portal
Turn off any unused network services
Use strong authentication methods such as SAML or LDAP
Change the default administrator password immediately
Cisco emphasized that if an appliance is confirmed to be compromised, rebuilding the system from scratch is currently the only way to fully remove the attacker’s persistence mechanisms.
The severity of the threat has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog.
This action requires Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by December 24, 2025, highlighting the urgency and national security impact of the issue.
In a related development, threat intelligence firm GreyNoise reported a sharp increase in automated credential-based attacks targeting enterprise VPN systems.
According to the report:
Over 10,000 unique IP addresses targeted Palo Alto Networks GlobalProtect VPN portals
Attacks focused on portals in the U.S., Pakistan, and Mexico
A similar spike was observed against Cisco SSL VPN endpoints
More than 1,273 IP addresses were involved in Cisco-focused attempts
GreyNoise clarified that these were large-scale brute-force login attempts, not vulnerability exploitation. However, the activity shows how attackers are aggressively targeting exposed network infrastructure using common username and password combinations.
The active exploitation of CVE-2025-20393 highlights the growing risks facing email security infrastructure, especially when management interfaces are exposed to the internet. With no patch available yet, organizations using Cisco AsyncOS-based appliances must act immediately to reduce exposure and monitor for signs of compromise.
This incident also reinforces a key cybersecurity lesson: even optional features can become critical attack paths if misconfigured. Proactive hardening, network segmentation, and continuous monitoring remain essential defenses against advanced threat actors.
Interesting Article : Attackers Target Fortinet FortiGate Via SAML SSO Authentication Bypass
Pingback: HPE OneView Hit by CVE-2025-37164 With CVSS 10.0 Severity