Cisco has finally rolled out patches for a critical AsyncOS zero-day vulnerability that has been actively exploited since November 2025. The flaw targeted Cisco’s Secure Email Gateway and related management appliances, prompting warnings from both Cisco and US cyber authorities.
Cisco confirmed that it has patched a maximum-severity zero-day vulnerability affecting its AsyncOS software. The flaw, tracked as CVE-2025-20393, was exploited in real-world attacks against Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
The vulnerability had remained under active exploitation for weeks before a final fix was released.
Which systems were affected?
According to Cisco, the vulnerability only affected SEG and SEWM appliances running non-standard configurations. Systems were vulnerable if the Spam Quarantine feature was enabled and exposed directly to the internet.
This configuration allowed attackers to target exposed interfaces and compromise affected appliances.
How vulnerability worked
Cisco explained that the issue stemmed from improper input validation within AsyncOS software. This flaw allowed threat actors to execute arbitrary commands with root privileges on the underlying operating system.
Such access gives attackers full control over compromised appliances, significantly increasing the risk to affected organizations.
Active exploitation linked to Chinese threat group
Cisco Talos, the company’s threat intelligence team, assessed with moderate confidence that a Chinese hacking group tracked as UAT-9686 was behind the attacks.
During its investigation, Talos observed attackers deploying several malicious tools, including:
-
AquaShell persistent backdoors
-
AquaTunnel and Chisel reverse-SSH tunneling malware
-
AquaPurge, a log-clearing tool used to erase evidence of intrusion
Talos noted that AquaTunnel and related tools have previously been linked to other Chinese state-backed groups such as APT41 and UNC5174.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog on December 17.
Under Binding Operational Directive 22-01, federal agencies were ordered to secure affected systems using Cisco’s guidance by December 24.
CISA urged organizations to assess exposure, check for signs of compromise, and apply vendor mitigations as soon as possible.
Cisco has published detailed upgrade instructions in its security advisory, outlining how to move vulnerable appliances to fixed software versions. Security teams are advised to review logs, inspect systems for indicators of compromise, and restrict internet exposure where possible.
