Cisco Alerts on Active Exploitation of Zero-Day Vulnerability in AsyncOS Email Security Appliances
Cisco has recently identified a critical zero-day vulnerability in its AsyncOS software, actively exploited by a sophisticated threat actor known as UAT-9686. This flaw, designated as CVE-2025-20393 with a maximum CVSS score of 10.0, affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The vulnerability arises from improper input validation, enabling attackers to execute arbitrary commands with root privileges on the underlying operating system.
Discovery and Impact
The intrusion campaign was detected on December 10, 2025, targeting a limited subset of appliances with specific ports exposed to the internet. The exact number of affected customers remains undetermined. The exploitation allows threat actors to gain full control over compromised systems, posing significant risks to data integrity and system availability.
Affected Systems
All versions of Cisco AsyncOS Software are susceptible to this vulnerability. Exploitation requires the following conditions:
– The Spam Quarantine feature is enabled.
– The Spam Quarantine feature is accessible from the internet.
Notably, the Spam Quarantine feature is disabled by default. Administrators can verify its status by navigating through the web management interface to the IP Interfaces section and checking if the Spam Quarantine option is selected.
Attack Methodology
Evidence suggests that the exploitation began in late November 2025. UAT-9686 has utilized this vulnerability to deploy various malicious tools, including:
– ReverseSSH (AquaTunnel): A tunneling tool previously linked to Chinese hacking groups such as APT41 and UNC5174.
– Chisel: Another tunneling tool facilitating unauthorized network access.
– AquaPurge: A utility designed to clean logs, aiding in evading detection.
– AquaShell: A lightweight Python-based backdoor capable of executing encoded commands received via specially crafted HTTP POST requests.
Mitigation Strategies
In the absence of an immediate patch, Cisco recommends the following actions to mitigate the risk:
1. Restore Secure Configuration: Revert appliances to a known secure state.
2. Restrict Internet Access: Limit exposure by configuring firewalls to allow traffic only from trusted hosts.
3. Network Segmentation: Separate mail and management functionalities onto different network interfaces to reduce attack surfaces.
4. Monitor Web Logs: Regularly review web logs for any unusual or unexpected traffic patterns.
5. Disable Unnecessary Services: Turn off network services that are not essential to operations.
6. Enhance Authentication: Implement strong authentication methods such as SAML or LDAP, and change default administrator passwords to complex, unique ones.
In cases where a compromise is confirmed, rebuilding the affected appliances is currently the only effective remediation strategy.
Broader Context
This incident underscores a series of security challenges faced by Cisco products in recent times. For instance, in September 2025, Cisco addressed a high-severity SNMP vulnerability (CVE-2025-20352) in IOS and IOS XE Software, which allowed remote code execution or denial-of-service attacks. Similarly, in November 2025, the company disclosed attacks targeting Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, exploiting vulnerabilities CVE-2025-20333 and CVE-2025-20362.
These recurring vulnerabilities highlight the critical importance of proactive security measures, timely patch management, and continuous monitoring to safeguard network infrastructures against evolving cyber threats.
