Cisco has released a security patch for a maximum-severity zero-day vulnerability in AsyncOS that attackers have exploited since November 2025. The flaw impacts Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances configured with the Spam Quarantine feature exposed to the internet.
The vulnerability, tracked as CVE-2025-20393, allows attackers to send crafted HTTP requests that bypass input validation and execute arbitrary commands with root privileges on affected devices. Once attackers gain access, they can take full control of the underlying operating system and maintain persistence inside the network.
Chinese Threat Group Linked to the Attacks
Cisco Talos attributes the campaign to a China-linked threat actor it tracks as UAT-9686. Investigators observed the attackers deploying multiple tools to maintain access and hide activity, including the AquaShell persistent backdoor, AquaTunnel and Chisel reverse-SSH tunneling tools, and the AquaPurge log-clearing utility. Talos says the tooling overlaps with infrastructure previously tied to other Chinese state-aligned groups such as APT41 and UNC5174.
Talos also confirmed that attackers targeted only a limited subset of appliances where administrators enabled Spam Quarantine and allowed direct internet access. Cisco does not enable this feature by default, but some organizations expose it so remote users can review quarantined emails.
CISA Flagged the Flaw as Actively Exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog in December. CISA ordered federal agencies to secure affected systems under Binding Operational Directive 22-01 and urged organizations to assess exposure, hunt for signs of compromise, and apply vendor mitigations without delay.
Cisco confirmed that no viable workaround fully mitigates the risk when the vulnerable feature remains reachable from the internet. Simply blocking public ports does not eliminate exposure in all scenarios, which increases the urgency of applying the official fix.
Which Versions Need the Update
Cisco advises customers to upgrade immediately to patched AsyncOS releases:
- Email Security Gateway appliances
- AsyncOS 15.0.5-016 or later
- AsyncOS 15.5.4-012 or later
- AsyncOS 16.0.4-016 or later
- Secure Email and Web Manager appliances
- AsyncOS 15.0.2-007 or later
- AsyncOS 15.5.4-007 or later
- AsyncOS 16.0.4-010 or later
After installation, devices automatically reboot. Cisco says the update removes known persistence mechanisms deployed during the attack campaign and closes the underlying vulnerability.
What Organizations Should Do Now
Cisco urges administrators to:
- Apply the latest AsyncOS patches immediately.
- Review system logs and appliance behavior for signs of compromise.
- Restrict unnecessary internet exposure of management and quarantine services.
- Harden device configurations according to Cisco security guidance.
Organizations that suspect compromise should rebuild affected appliances and rotate credentials to prevent lateral movement.
This patch closes a dangerous window that allowed full appliance takeover for weeks. Administrators who rely on Cisco email security infrastructure should treat this update as a priority to reduce ongoing risk and prevent further exploitation.
