As 2025 comes to a close, a critical zero-day vulnerability in Cisco AsyncOS Software, identified as CVE-2025-20393, has been discovered. This flaw, with a maximum-severity CVSS score of 10.0, is actively being exploited by the China-backed APT group known as UAT-9686. The vulnerability allows attackers to execute arbitrary commands with root privileges on affected devices, primarily targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The issue arises from improper input validation, affecting all versions of Cisco AsyncOS. However, exploitation requires specific conditions, including the Spam Quarantine feature being enabled and accessible from the internet. Cisco has advised administrators to verify the status of this feature and implement various security measures to mitigate risks until a patch is available. These measures include restricting internet exposure, using firewalls, and enforcing strong authentication mechanisms.
The exploitation activity has been traced back to late November 2025, with attackers deploying tools like ReverseSSH and AquaPurge. In response to this growing threat, CISA has added CVE-2025-20393 to its KEV catalog, requiring federal agencies to implement mitigations by December 24, 2025. Additionally, a separate automated credential-stuffing campaign targeting enterprise VPN infrastructure has been identified, indicating a broader threat landscape. To combat these threats, organizations are encouraged to utilize advanced detection platforms to stay ahead of emerging cybersecurity risks.
