**Cisco Finally Fixes AsyncOS Zero-Day Exploited Since November**
Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day vulnerability that has been exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025.
The vulnerability, identified as CVE-2025-20393, affects only Cisco SEG and SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet. According to Cisco, "Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contain an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance."
Detailed instructions for upgrading vulnerable appliances to a fixed software version are available in this security advisory. Cisco Talos, the company's threat intelligence research team, believes that a Chinese hacking group tracked as UAT-9686 is likely behind attacks abusing the flaw to execute arbitrary commands with root privileges.
During their investigation, Cisco Talos observed the threat actors deploying various malware implants, including AquaShell persistent backdoors, AquaTunnel and Chisel reverse-SSH tunnel malware, and the AquaPurge log-clearing tool. Interestingly, AquaTunnel and other malicious tools deployed in this campaign have been linked to other Chinese state-backed threat groups, such as APT41 and UNC5174.
"We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups," Cisco Talos said. "As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs."
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its catalog of known exploited vulnerabilities on December 17, ordering federal agencies to secure their systems using Cisco's guidance within a week, by December 24, as mandated by Binding Operational Directive (BOD) 22-01.
"Please adhere to Cisco's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available," CISA said. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."