Critical Zero-Day Vulnerability in Cisco Secure Email Gateway Actively Exploited
Cisco has recently confirmed the active exploitation of a critical zero-day vulnerability, identified as CVE-2025-20393, within its Secure Email Gateway and Secure Email and Web Manager appliances. This flaw enables unauthenticated attackers to execute arbitrary commands with root-level privileges by sending specially crafted HTTP requests to the Spam Quarantine feature.
Technical Details:
The vulnerability arises from inadequate validation of HTTP requests in the Spam Quarantine component of Cisco’s AsyncOS Software. This oversight allows remote command execution with root privileges on affected devices. Classified under CWE-20 (Improper Input Validation), CVE-2025-20393 has been assigned a maximum CVSSv3.1 base score of 10.0, indicating its severe impact on confidentiality, integrity, and availability.
Exploitation is particularly concerning for appliances where the Spam Quarantine feature is both enabled and exposed to the internet, typically on port 6025. Notably, this configuration is not enabled by default and is discouraged in Cisco’s deployment guidelines.
Exploitation Timeline and Threat Actor Attribution:
Cisco became aware of active attacks exploiting this vulnerability on December 10, 2025, with evidence suggesting that exploitation began as early as November 2025. Cisco Talos, the company’s threat intelligence division, attributes these attacks to a China-based advanced persistent threat (APT) group known as UAT-9686 (also referred to as UNC-9686). This attribution is made with moderate confidence, based on observed overlaps in tooling with other groups like APT41 and UNC5174.
The attackers have been observed deploying a Python-based backdoor named AquaShell to maintain persistent remote access. Additionally, they utilize tools such as AquaTunnel and Chisel for reverse SSH tunneling, facilitating internal network pivoting. To evade detection, they employ AquaPurge for log wiping. Targeted sectors include telecommunications and critical infrastructure, with a focus on espionage activities rather than ransomware deployment.
Government Advisory and Increased Scanning Activity:
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog on December 17, 2025. Federal agencies were mandated to implement mitigations by December 24, 2025. As of January 2026, while no public proof-of-concept exploits have been disclosed, there has been a noticeable increase in automated scanning activities targeting this vulnerability.
Indicators of Compromise and Recommendations:
Indicators of compromise include the presence of the AquaShell backdoor, which establishes a covert channel for remote access. Cisco recommends that organizations verify the integrity of their systems by engaging with the Technical Assistance Center (TAC) support, ensuring that remote access is enabled for thorough assessment.
Mitigation Measures and Software Updates:
Cisco has released patches to address CVE-2025-20393 and to remove known persistence mechanisms associated with the exploitation. No workarounds are available, making immediate software updates imperative. Administrators are advised to upgrade their systems promptly and to verify the status of the Spam Quarantine feature via the web interface under Network > IP Interfaces.
Fixed Releases:
Cisco Secure Email Gateway:
– Versions 14.2 and earlier: Upgrade to 15.0.5-016
– Version 15.0: Upgrade to 15.0.5-016
– Version 15.5: Upgrade to 15.5.4-012
– Version 16.0: Upgrade to 16.0.4-016
Cisco Secure Email and Web Manager:
– Versions 15.0 and earlier: Upgrade to 15.0.2-007
– Version 15.5: Upgrade to 15.5.4-007
– Version 16.0: Upgrade to 16.0.4-010
Additional Security Recommendations:
To further secure their systems, organizations should implement the following measures:
– Configure firewalls to restrict unnecessary external access.
– Separate mail and management interfaces to limit exposure.
– Disable non-essential services, such as HTTP and FTP, to reduce potential attack vectors.
– Implement strong authentication protocols, including SAML or LDAP, to enhance access controls.
It’s important to note that Cisco’s Secure Email Cloud services are not affected by this vulnerability. Organizations are encouraged to monitor their logs externally and to contact Cisco’s TAC for a comprehensive compromise assessment.
