Cisco has confirmed active exploitation of a critical zero-day remote code execution vulnerability in its Secure Email Gateway and Secure Email and Web Manager appliances.
Tracked as CVE-2025-20393, the flaw allows unauthenticated attackers to execute arbitrary root-level commands via crafted HTTP requests to the Spam Quarantine feature.
The vulnerability stems from insufficient validation of HTTP requests in the Spam Quarantine feature of Cisco AsyncOS Software, enabling remote command execution with root privileges on affected appliances.
Classified under CWE-20 (Improper Input Validation), it scores a maximum CVSSv3.1 base of 10.0, highlighting its network accessibility, low complexity, and full impact on confidentiality, integrity, and availability.
Exploitation targets appliances where Spam Quarantine is enabled and exposed to the internet, typically on port 6025, a configuration not enabled by default and discouraged in deployment guides.
| CVE ID | CVSS Score | Vector String | CWE ID | Bug IDs |
|---|---|---|---|---|
| CVE-2025-20393 | 10.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE-20 | CSCws36549, CSCws52505 |
Cisco became aware of the attacks on December 10, 2025, with evidence of exploitation dating back to November 2025.
Exploitation Campaign and Threat Actor
Cisco Talos attributes the campaign to UAT-9686 (also UNC-9686), a China-nexus advanced persistent threat actor, with moderate confidence based on tooling overlaps with groups like APT41 and UNC5174.
Attackers deploy a Python-based backdoor called AquaShell for persistent remote access, alongside reverse SSH tunneling tools like AquaTunnel and Chisel for internal pivoting, and AquaPurge for log wiping to evade detection. Targets include telecommunications and critical infrastructure sectors, with post-exploitation focusing on espionage rather than ransomware.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog on December 17, 2025, mandating federal agencies to mitigate by December 24, 2025. No public proof-of-concept exploits exist as of January 2026, but automated scanning has increased.
Indicators of compromise include the implanted persistence mechanism, a covert channel for remote access; Cisco recommends verifying via Technical Assistance Center (TAC) support with remote access enabled.
Mitigation and Fixed Releases
Cisco released patches addressing the vulnerability and removing known persistence mechanisms; no workarounds exist. Administrators should upgrade immediately and confirm Spam Quarantine status via the web interface under Network > IP Interfaces.
Cisco Secure Email Gateway Fixed Releases
| Vulnerable Release | First Fixed Release |
|---|---|
| 14.2 and earlier | 15.0.5-016 |
| 15.0 | 15.0.5-016 |
| 15.5 | 15.5.4-012 |
| 16.0 | 16.0.4-016 |
Cisco Secure Email and Web Manager Fixed Releases
| Vulnerable Release | First Fixed Release |
|---|---|
| 15.0 and earlier | 15.0.2-007 |
| 15.5 | 15.5.4-007 |
| 16.0 | 16.0.4-010 |
Additional hardening includes firewalling, separating mail/management interfaces, disabling unnecessary services such as HTTP/FTP, and using strong authentication protocols such as SAML or LDAP.
Cisco Secure Email Cloud services remain unaffected. Organizations should monitor logs externally and contact TAC for compromise assessment.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
