- Cisco AsyncOS software contains a zero-day vulnerability actively exploited by a China-linked advanced persistent threat (APT) group called UAT-9686.
- The flaw allows attackers to run commands with root privileges on affected devices running Cisco Secure Email Gateway and Secure Email and Web Manager.
- The vulnerability, CVE-2025-20393, scores a maximum 10.0 on the CVSS scale and remains unpatched.
- Exploitation requires the Spam Quarantine feature to be enabled and accessible from the internet, which is disabled by default.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating mitigations for federal agencies by December 24, 2025.
Cisco has disclosed a critical zero-day security flaw in its AsyncOS software that is being exploited by a China-linked advanced persistent threat actor identified as UAT-9686. The intrusion campaign was detected on December 10, 2025, targeting certain Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The affected devices are those with specific ports exposed to the internet.
This vulnerability, tracked as CVE-2025-20393, allows attackers to execute arbitrary commands with root privileges on the operating system. The root-level access means attackers can fully control compromised devices. Cisco noted the presence of persistence mechanisms on affected systems, enabling ongoing unauthorized access. All AsyncOS versions are vulnerable under certain conditions.
Successful exploitation requires two conditions: the appliance must have the Spam Quarantine feature enabled, and this feature must be exposed to the internet. Since Spam Quarantine is disabled by default, users can verify its status by accessing the web management interface and navigating to the IP Interfaces section for the respective appliance type. Instructions are provided in the advisory to check this setting.
The threat actor has used this vulnerability since at least late November 2025 to deploy tunneling tools such as ReverseSSH (AquaTunnel), Chisel, a log cleaning tool named AquaPurge, and a Python backdoor called AquaShell. This backdoor listens for unauthenticated HTTP POST requests and executes encoded commands in the system shell, as described in a detailed analysis shared by Cisco.
Due to the lack of a patch, Cisco recommends several mitigation steps. These include restoring devices to secure configurations, blocking internet access to vulnerable ports, isolating mail and management network functions, monitoring web traffic for suspicious activity, and disabling unneeded services such as HTTP for the administrator portal. Strong authentication methods like SAML or LDAP should be used, and default administrator passwords changed. If compromise is confirmed, rebuilding the appliance is advised to remove persistent intrusions.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are required to deploy mitigations by December 24, 2025.
Separately, security researchers reported a widespread, automated credential attack campaign against enterprise VPN portals from Cisco SSL VPN and Palo Alto Networks GlobalProtect. This campaign, observed in early December 2025, involved scripted login attempts from thousands of IP addresses and targeted weak or exposed authentication endpoints without exploiting vulnerabilities. The activity was described as a single coordinated effort moving across multiple platforms, as noted by threat intelligence providers.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Nears $81.3K Key Level as Crypto Market Faces Selling Pressure
- Coinbase Expands to Stock Trading, Prediction Markets, and Solana Assets
- WBD Backs Netflix Bid Over Paramount; Stocks React Sharply
- Caroline Pham Leaves CFTC for MoonPay Legal Role
- Jito Foundation to Return to US Amid Clearer Crypto Rules
