BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Cisco Warns of Critical Zero-Day in AsyncOS Exploited by APT

Critical zero-day flaw CVE-2025-20393 in Cisco AsyncOS exploited by China-linked APT UAT-9686 enables root command execution on email gateways, prompting urgent CISA mitigations by December 2025.

  • Cisco AsyncOS software contains a zero-day vulnerability actively exploited by a China-linked advanced persistent threat (APT) group called UAT-9686.
  • The flaw allows attackers to run commands with root privileges on affected devices running Cisco Secure Email Gateway and Secure Email and Web Manager.
  • The vulnerability, CVE-2025-20393, scores a maximum 10.0 on the CVSS scale and remains unpatched.
  • Exploitation requires the Spam Quarantine feature to be enabled and accessible from the internet, which is disabled by default.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating mitigations for federal agencies by December 24, 2025.

Cisco has disclosed a critical zero-day security flaw in its AsyncOS software that is being exploited by a China-linked advanced persistent threat actor identified as UAT-9686. The intrusion campaign was detected on December 10, 2025, targeting certain Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The affected devices are those with specific ports exposed to the internet.

- Advertisement -

This vulnerability, tracked as CVE-2025-20393, allows attackers to execute arbitrary commands with root privileges on the operating system. The root-level access means attackers can fully control compromised devices. Cisco noted the presence of persistence mechanisms on affected systems, enabling ongoing unauthorized access. All AsyncOS versions are vulnerable under certain conditions.

Successful exploitation requires two conditions: the appliance must have the Spam Quarantine feature enabled, and this feature must be exposed to the internet. Since Spam Quarantine is disabled by default, users can verify its status by accessing the web management interface and navigating to the IP Interfaces section for the respective appliance type. Instructions are provided in the advisory to check this setting.

The threat actor has used this vulnerability since at least late November 2025 to deploy tunneling tools such as ReverseSSH (AquaTunnel), Chisel, a log cleaning tool named AquaPurge, and a Python backdoor called AquaShell. This backdoor listens for unauthenticated HTTP POST requests and executes encoded commands in the system shell, as described in a detailed analysis shared by Cisco.

Due to the lack of a patch, Cisco recommends several mitigation steps. These include restoring devices to secure configurations, blocking internet access to vulnerable ports, isolating mail and management network functions, monitoring web traffic for suspicious activity, and disabling unneeded services such as HTTP for the administrator portal. Strong authentication methods like SAML or LDAP should be used, and default administrator passwords changed. If compromise is confirmed, rebuilding the appliance is advised to remove persistent intrusions.

- Advertisement -

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are required to deploy mitigations by December 24, 2025.

Separately, security researchers reported a widespread, automated credential attack campaign against enterprise VPN portals from Cisco SSL VPN and Palo Alto Networks GlobalProtect. This campaign, observed in early December 2025, involved scripted login attempts from thousands of IP addresses and targeted weak or exposed authentication endpoints without exploiting vulnerabilities. The activity was described as a single coordinated effort moving across multiple platforms, as noted by threat intelligence providers.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Senate Dems demand hearings on Trump’s $1.2B crypto income

Senate Democrats are calling for hearings into President Trump’s crypto holdings after disclosures showed...

Kraken Relaunches App with AI Agentic Trading Before IPO

Kraken is preparing to relaunch its app with agentic AI trading tools to help...

Robinhood Chain scams: users lose money on launch day

Robinhood’s new blockchain mainnet launched July 1 and is already flooded with scams, including...

New Hampshire council votes down $100M Bitcoin bond proposal

New Hampshire's executive council voted 3-2 against a $100 million BTC-backed bond proposalThe proposal...

Three OpenClaw AI flaws allow host takeover via WhatsApp

Three high-severity flaws in the OpenClaw AI assistant (CVSS 8.8, 8.8, 8.4) could enable...

Must Read

8 Best Crypto Debit Cards For Spending Your Digital Tokens

What are | How we chose | Best crypto debit cards | Binance Card? | FAQ | Final WordsCrypto debit cards have transformed how...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading