**Cisco Warns of Unpatched AsyncOS Zero-Day Exploited in Attacks**

Cisco has issued a warning to its customers regarding an unpatched, maximum-severity Cisco AsyncOS zero-day that is being actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.

The yet-to-be-patched zero-day, identified as CVE-2025-20393, affects only Cisco SEG and SEWM appliances with non-standard configurations, where the Spam Quarantine feature is enabled and exposed on the Internet. This vulnerability has been linked to a Chinese threat group tracked as UAT-9686, which is believed to be behind attacks exploiting this security flaw to execute arbitrary commands with root and deploy malicious tools.

Cisco Talos, the company's threat intelligence research team, has identified indicators of compromise in a GitHub repository. The malicious tools used in these attacks have also been linked to other Chinese state-backed hacking groups such as UNC5174 and APT41. "We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups," Cisco Talos said in a Wednesday advisory.

The attacks have been active since at least late November 2025, and while Cisco has yet to release security updates to address this zero-day flaw, the company advised administrators to secure and restrict access to vulnerable appliances. Recommendations include limiting internet access, restricting connections to trusted hosts, placing appliances behind firewalls to filter traffic, separating mail-handling and management functions, monitoring web logs for unusual activity, retaining logs for investigations, disabling unnecessary services, keeping systems up-to-date with the latest Cisco AsyncOS software, implementing strong authentication methods such as SAML or LDAP, changing default passwords, and using SSL or TLS certificates to secure management traffic.

Cisco also warned customers who want to check whether their appliances have already been compromised to open a Cisco Technical Assistance Center (TAC) case. The company strongly recommends following the guidance in the Recommendations section of today's security advisory and taking immediate action to restore vulnerable appliances to a secure configuration, if possible. If restoring the appliance is not possible, rebuilding it may be the only viable option to eradicate the threat actors' persistence mechanism from the appliance.

**Key Takeaways:**

* An unpatched, maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) is being actively exploited in attacks targeting SEG and SEWM appliances. * The vulnerability affects only Cisco SEG and SEWM appliances with non-standard configurations where the Spam Quarantine feature is enabled and exposed on the Internet. * A Chinese threat group tracked as UAT-9686 is believed to be behind these attacks, which exploit the zero-day flaw to execute arbitrary commands with root and deploy malicious tools. * Customers are advised to secure and restrict access to vulnerable appliances, following recommendations outlined by Cisco.

**Recommendations:**

1. Limit internet access to vulnerable appliances 2. Restrict connections to trusted hosts 3. Place appliances behind firewalls to filter traffic 4. Separate mail-handling and management functions 5. Monitor web logs for unusual activity 6. Retain logs for investigations 7. Disable unnecessary services 8. Keep systems up-to-date with the latest Cisco AsyncOS software 9. Implement strong authentication methods such as SAML or LDAP 10. Change default passwords 11. Use SSL or TLS certificates to secure management traffic

**Action Required:**

* Customers who want to check whether their appliances have already been compromised should open a Cisco Technical Assistance Center (TAC) case. * Follow the guidance in the Recommendations section of today's security advisory to restore vulnerable appliances to a secure configuration, if possible.