Zero-Day Flaw Exploited Since November 2025
Cisco has finally released security patches for a critical zero-day vulnerability that hackers exploited for several months. The flaw affected Cisco AsyncOS software and was actively used in real-world attacks since November 2025.
The vulnerability, tracked as CVE-2025-20393, impacted Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco confirmed that the issue reached maximum severity and allowed attackers to gain full control of affected systems.
Security researchers and US cyber authorities raised alarms after detecting ongoing exploitation. Despite early warnings, the vulnerability remained active for weeks before a complete fix was made available.
Cisco stated that the flaw was not present in all deployments. Only appliances running non-standard configurations were vulnerable. Systems became exposed when the Spam Quarantine feature was enabled and directly accessible from the internet.
This setup allowed attackers to target public-facing interfaces. Once breached, attackers could compromise email security infrastructure used by enterprises and government organizations.
How the AsyncOS Vulnerability Worked
Cisco explained that the flaw was caused by improper input validation in AsyncOS software. This weakness allowed attackers to send specially crafted requests to vulnerable appliances.
Successful exploitation enabled arbitrary command execution with root-level privileges. Root access gave attackers complete control over the underlying operating system.
With full privileges, attackers could install malware, create backdoors, steal sensitive email data, and move laterally across networks. This significantly increased the risk to organizations relying on Ciscoโs email security products.
The vulnerability was especially dangerous because Secure Email Gateway appliances often sit at the perimeter of enterprise networks. Compromise at this level could bypass multiple layers of security.
Cisco urged administrators to review system configurations immediately. The company stressed that internet-exposed management interfaces should always be restricted.
Chinese Threat Group Linked to Attacks
Cisco Talos, the companyโs threat intelligence unit, linked the attacks to a Chinese threat group tracked as UAT-9686. The assessment was made with moderate confidence based on observed tactics and tools.
During investigations, Talos detected multiple malicious utilities deployed on compromised systems. These included AquaShell, a persistent backdoor designed to maintain long-term access.
Attackers also used AquaTunnel and Chisel, both reverse-SSH tunneling tools. These tools allow attackers to maintain encrypted communication channels and bypass firewalls.
Talos further identified AquaPurge, a log-wiping utility used to erase forensic evidence. This made detection and incident response more difficult.
Security researchers noted that AquaTunnel has previously been associated with Chinese state-backed groups such as APT41 and UNC5174.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog on December 17. Federal agencies were ordered to secure affected systems by December 24 under Binding Operational Directive 22-01.
CISA urged all organizations to assess exposure, hunt for indicators of compromise, and apply Ciscoโs patches without delay.
Cisco has published detailed upgrade instructions in its advisory. Security teams are advised to update software, inspect logs, and limit internet-facing access to prevent further attacks.
