Cisco AsyncOS Zero-Day Exploited by China-Linked APT, No Patch Available

Cisco has disclosed a maximum-severity zero-day vulnerability affecting its Secure Email Gateway and Web Manager appliances that attackers have been exploiting in the wild since late November 2025. With no patch currently available, organizations relying on these security appliances face urgent decisions about risk mitigation.

TL;DR

• What happened: China-linked threat actor UAT-9686 is actively exploiting CVE-2025-20393 to compromise Cisco email security appliances
• Who's affected: Organizations using Cisco Secure Email Gateway or Secure Email and Web Manager with Spam Quarantine enabled and internet-exposed
• Severity: Critical (CVSS 10.0) - Maximum severity rating
• Action required: Immediately restrict internet access to affected appliances and monitor for indicators of compromise

What is CVE-2025-20393?

CVE-2025-20393 is a critical vulnerability in Cisco AsyncOS Software, the operating system powering Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw stems from improper input validation that allows threat actors to execute malicious commands with root-level privileges on the underlying operating system.

The vulnerability carries a maximum CVSS score of 10.0, reflecting the severity of unauthenticated remote code execution with complete system compromise capability. Both physical and virtual appliance deployments are affected across all AsyncOS releases.

Active Exploitation by Chinese APT

Cisco confirmed that threat actors have been actively exploiting this vulnerability since at least late November 2025, though the campaign was only detected on December 10. The attacks have been attributed to a China-nexus advanced persistent threat group tracked as UAT-9686.

Once attackers gain access to vulnerable appliances, they deploy a sophisticated toolkit including:

• AquaShell: A persistent Python-based backdoor providing long-term access
• AquaTunnel: A reverse SSH tunnel enabling covert command-and-control communications
• Chisel: An additional tunneling tool for network pivoting
• AquaPurge: A log-clearing utility designed to erase forensic evidence

This combination of tools suggests well-resourced operators with a focus on maintaining persistent access while evading detection.

Who is Vulnerable?

The vulnerability specifically affects Cisco SEG and SEWM appliances where the Spam Quarantine feature is enabled and exposed to the internet. Importantly, Spam Quarantine is not enabled by default, and Cisco deployment guides explicitly recommend against exposing it directly to the internet.

Organizations that followed Cisco's hardening recommendations may have reduced exposure. However, the severity of the flaw means any potentially affected deployment warrants immediate investigation.

Why This Matters

Email security gateways occupy a privileged position in enterprise networks, inspecting all inbound and outbound email traffic. Compromising these systems provides attackers with visibility into organizational communications and a potential launching point for deeper network intrusion.

The involvement of a China-linked APT group suggests espionage motivations rather than financially-driven cybercrime. Organizations in sectors of interest to Chinese intelligence—including technology, defense, government, and critical infrastructure—should treat this threat with particular urgency.

CISA Adds to KEV Catalog

Following confirmation of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must apply mitigations by December 24, 2025.

While this deadline applies specifically to federal agencies, private sector organizations should treat CISA's KEV additions as strong indicators that immediate action is warranted.

Recommended Mitigations

With no patch available, organizations must implement compensating controls to reduce risk.

1. Restrict internet access to Spam Quarantine interfaces immediately
2. Implement network segmentation between email security appliances and internal networks
3. Place appliances behind firewalls configured to filter traffic to only trusted sources
4. Separate mail-handling and management functions to limit blast radius of compromise
5. Monitor web logs for unusual activity patterns indicating exploitation attempts
6. Retain logs for forensic investigation if compromise is suspected
7. Consider rebuilding appliances if compromise indicators are detected—this is currently the only way to eliminate attacker persistence mechanisms

Indicators of Compromise

Organizations should monitor for the following signs of potential compromise:

• Unexpected Python processes running on appliances
• Unusual SSH connections to or from email security systems
• Log gaps or evidence of log manipulation
• Network connections to unfamiliar external hosts
• New or modified scheduled tasks and services

Frequently Asked Questions

Is my organization affected by CVE-2025-20393? Your organization may be affected if you use Cisco Secure Email Gateway or Secure Email and Web Manager appliances with the Spam Quarantine feature enabled and accessible from the internet. Check your appliance configuration immediately.

What should I do first? Immediately restrict internet access to the Spam Quarantine interface on affected appliances. This is the single most important step to prevent exploitation while awaiting a patch.

When will Cisco release a patch? Cisco has not announced a patch release timeline. Organizations should implement mitigations immediately rather than waiting for a software update.

---

Cisco's security advisory and CISA's KEV catalog entry provide additional technical details for security teams investigating potential exposure.