Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day that attackers have exploited against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025.
Previously, in December, Cisco explained that the disclosed vulnerability (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances running non-standard configurations when administrators enable the Spam Quarantine feature and expose it to the Internet.
“Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said.
Meanwhile, Cisco has published detailed instructions in its security advisory to help administrators upgrade vulnerable appliances to a fixed software version.
Threat Actor Attribution and Active Exploitation
At the same time, Cisco Talos, the Company’s threat intelligence research team, believes a Chinese hacking group tracked as UAT-9686 likely stands behind attacks that abuse the flaw to execute Arbitrary commands with root privileges.
During the investigation, Cisco Talos Observed the threat actors Deploying AquaShell Persistent Backdoors, AquaTunnel and Chisel Reverse-SSH tunnel malware Implants, and the AquaPurge Log-clearing tool to erase traces of Malicious activity.
Additionally, researchers have previously linked AquaTunnel and other Malicious tools used in this campaign to other Chinese State-backed threat groups, including APT41 and UNC5174.
“We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups,” Cisco Talos said.
“As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs.”
CISA Adds Vulnerability to Known Exploited Catalog
Following these findings, CISA added CVE-2025-20393 to its catalog of known Exploited Vulnerabilities on December 17 and ordered federal agencies to secure their systems using Cisco’s guidance within one week, by December 24, as Mandated by Binding Operational Directive (BOD) 22-01.
“Please adhere to Cisco’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available,” CISA said.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
