Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025.
As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.
“Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said.
Detailed instructions for upgrading vulnerable appliances to a fixed software version are available in this security advisory.
Cisco Talos, the company’s threat intelligence research team, believes that a Chinese hacking group tracked as UAT-9686 is likely behind attacks abusing the flaw to execute arbitrary commands with root privileges.
While investigating the attacks, Cisco Talos observed the threat actors deploying AquaShell persistent backdoors, AquaTunnel and Chisel reverse-SSH tunnel malware implants, and the AquaPurge log-clearing tool to wipe traces of their malicious activity.
AquaTunnel and other malicious tools deployed in this campaign have also been linked in the past to other Chinese state-backed threat groups, such as APT41 and UNC5174.
“We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups,” Cisco Talos said.
“As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs.”
CISA has also added CVE-2025-20393 to its catalog of known exploited vulnerabilities on December 17, ordering federal agencies to secure their systems using Cisco’s guidance within a week, by December 24, as mandated by Binding Operational Directive (BOD) 22-01.
“Please adhere to Cisco’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available,” CISA said.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.