Cisco warns of unpatched AsyncOS zero-day exploited in attacks

Published:

17 december 2025 om 18:45:36

Alert date:

17 december 2025 om 19:01:16

Source:

bleepingcomputer.com

Network Infrastructure, Zero-Day Vulnerabilities, Email & Messaging

Cisco warns of an unpatched maximum-severity zero-day vulnerability in AsyncOS that is being actively exploited in attacks. The vulnerability affects Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw represents a critical security issue as it has no available patch and is currently being used by attackers in the wild. Organizations using affected Cisco email security appliances face immediate risk from this actively exploited vulnerability.

Technical details

CVE-2025-20393 is a maximum-severity zero-day vulnerability affecting Cisco SEG and SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet. The flaw allows attackers to execute arbitrary commands with root privileges. Chinese threat group UAT-9686 is exploiting this vulnerability to deploy AquaShell persistent backdoors, AquaTunnel and Chisel reverse SSH tunnel malware implants, and AquaPurge log-clearing tool. The campaign has been active since at least late November 2025.

Mitigation steps:

Limit internet access to appliances, restrict connections to trusted hosts, place appliances behind firewalls, separate mail-handling and management functions, monitor web logs for unusual activity, retain logs for investigations, disable unnecessary services, keep systems updated with latest Cisco AsyncOS software, implement strong authentication (SAML or LDAP), change default passwords, use SSL/TLS certificates for management traffic. Contact Cisco TAC to check for compromise. If compromised, rebuilding appliances is the only viable option to eradicate the threat actor's persistence mechanism.

Affected products:

Cisco Secure Email Gateway (SEG)
Cisco Secure Email and Web Manager (SEWM)
Cisco AsyncOS