As the year 2025 comes to a close, a critical vulnerability in Cisco’s AsyncOS Software, identified as CVE-2025-20393, has been discovered. This zero-day flaw, which holds a maximum severity CVSS score of 10.0, is actively being exploited by a China-linked APT group known as UAT-9686. This group is targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager systems.
The vulnerability allows attackers to execute arbitrary commands with root privileges on affected devices, stemming from improper input validation. Cisco has identified that exploitation requires specific conditions, such as the Spam Quarantine feature being enabled and accessible from the internet, though it is disabled by default. The company has advised administrators to check the status of this feature through the web management interface.
The exploitation activity has been traced back to late November 2025, with attackers deploying tools like ReverseSSH, Chisel, and a lightweight backdoor named AquaShell to maintain control over compromised systems. Until a patch is released, Cisco recommends restricting internet exposure, using firewalls, and enforcing strong authentication mechanisms to mitigate risks. In confirmed cases of compromise, rebuilding the appliance is advised to remove persistence.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, urging federal agencies to implement mitigations by December 24, 2025. Meanwhile, security firms have noted coordinated credential-stuffing campaigns targeting enterprise VPNs, suggesting a broader threat landscape. Organizations are encouraged to utilize advanced detection platforms to stay ahead of these emerging threats.
