top of page
perceptive_background_267k.jpg

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Published:

18 december 2025 om 04:10:00

Alert date:

18 december 2025 om 05:01:16

Source:

thehackernews.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Email & Messaging

Cisco disclosed a maximum-severity zero-day vulnerability in AsyncOS software being actively exploited by China-nexus APT group UAT-9686. The attacks target Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. Cisco became aware of the intrusion campaign on December 10, 2025. The vulnerability remains unpatched and poses critical risk to organizations using affected Cisco email security products. This represents an ongoing active threat with nation-state attribution.

Technical details

CVE-2025-20393 is a maximum-severity zero-day vulnerability in Cisco AsyncOS software with a CVSS score of 10.0. It involves improper input validation that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system. The vulnerability affects appliances configured with the Spam Quarantine feature that is exposed to and reachable from the internet. The China-nexus APT actor UAT-9686 has deployed tunneling tools like ReverseSSH (AquaTunnel) and Chisel, a log cleaning utility called AquaPurge, and a lightweight Python backdoor dubbed AquaShell that listens for unauthenticated HTTP POST requests with specially crafted data.

Mitigation steps:

Restore appliances to secure configuration, limit access from the internet, secure devices behind firewall to allow traffic only from trusted hosts, separate mail and management functionality onto separate network interfaces, monitor web log traffic for unexpected traffic, disable HTTP for main administrator portal, turn off unused network services, use strong end-user authentication methods like SAML or LDAP, change default administrator password. In case of confirmed compromise, rebuilding appliances is the only viable option to eradicate the threat actor's persistence mechanism. FCEB agencies must apply mitigations by December 24, 2025.

Affected products:

Cisco AsyncOS Software (all releases)
Cisco Secure Email Gateway
Cisco Secure Email and Web Manager

Related links:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
https://nvd.nist.gov/vuln/detail/CVE-2025-20393
https://github.com/Cisco-Talos/IOCs/tree/main/2025/12
https://github.com/Fahrj/reverse-ssh
https://blog.talosintelligence.com/uat-9686/
https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_0101.html?bookSearch=true#con_1623537
https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.greynoise.io/blog/credential-based-campaign-cisco-palo-alto-networks-vpn-gateways

Related CVE's:

Related threat actors:

IOC's:

ReverseSSH (AquaTunnel), Chisel, AquaPurge, AquaShell Python backdoor, Unauthenticated HTTP POST requests with specially crafted data

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page