Critical Zero-Day Vulnerability in Cisco Secure Email Gateway Exploited by Chinese Hackers
A critical zero-day vulnerability, identified as CVE-2025-20393, has been discovered in Cisco’s Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. This flaw, which has a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), allows unauthenticated attackers to execute arbitrary commands with root privileges on affected systems. The vulnerability is actively being exploited by a Chinese state-sponsored advanced persistent threat (APT) group known as UAT-9686.
Vulnerability Details
The vulnerability resides in Cisco’s AsyncOS software, which powers both SEG and SEWM appliances. Exploitation is possible when the Spam Quarantine feature is enabled and its associated ports are exposed to the internet. While this feature is disabled by default, systems with non-standard configurations are at risk. The flaw enables attackers to gain full control over compromised devices, posing significant security risks to organizations.
Discovery and Exploitation
Cisco became aware of the exploitation on December 10, 2025, during a support case investigation. Evidence suggests that the attacks have been ongoing since at least late November 2025. The threat actors have been observed deploying custom tools such as AquaShell, a Python-based backdoor that allows command execution with root permissions. Additional tools like AquaTunnel (also known as ReverseSSH), Chisel, and AquaPurge have been used for reverse tunneling and log purging, indicating a sophisticated and persistent attack campaign.
Mitigation Measures
As of now, there is no official patch available for CVE-2025-20393. Cisco has provided mitigation steps to help organizations protect their systems:
1. Identify and Disconnect Vulnerable Interfaces: Determine if the Spam Quarantine feature is enabled and if its ports are exposed to the internet. If so, disconnect these interfaces immediately.
2. Restrict Access: Implement robust access control mechanisms to ensure that critical ports are not exposed to unsecured networks.
3. Contact Cisco Technical Assistance Center (TAC): If you suspect your appliance has been compromised, reach out to Cisco’s TAC for assistance.
4. Rebuild Compromised Appliances: Currently, the only way to eradicate the threat actor’s persistence mechanism is to perform a full appliance rebuild.
Detection Tool Released
To assist organizations in identifying potential exposure to this vulnerability, a lightweight Python script named Cisco SMA Exposure Check has been developed. This tool scans for open ports and services associated with the flaw, performs HTTP/S fingerprinting, and checks for common paths and indicators of compromise. It requires only Python 3’s standard library and can be run with the following command:
“`
python3 cisco-sa-sma-attack-N9bf4.py [-v] [-t
“`
The tool flags vulnerable configurations, enabling administrators to take immediate action to secure their systems.
Industry Response
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the critical nature of this flaw. Organizations are urged to follow Cisco’s guidance to assess exposure and mitigate risks promptly.
Conclusion
The exploitation of CVE-2025-20393 underscores the importance of proactive cybersecurity measures. Organizations using Cisco’s Secure Email Gateway and Secure Email and Web Manager appliances should immediately assess their configurations, implement the recommended mitigations, and remain vigilant for signs of compromise. Staying informed and taking swift action is crucial in defending against sophisticated cyber threats.
