Cisco has warned that a maximum-severity zero-day in its AsyncOS software is being actively exploited by a China-nexus advanced persistent threat actor tracked as UAT-9686, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Cisco said the flaw, tracked as CVE-2025-20393, can allow execution of arbitrary commands with root privileges and carries a CVSS score of 10.0.
All releases of AsyncOS are affected, but Cisco said successful exploitation requires that the appliance have the Spam Quarantine feature enabled and that the Spam Quarantine interface be reachable from the internet. The Spam Quarantine option is not enabled by default and can be checked through the device web management interface.
Cisco said it became aware of the intrusion campaign on Dec. 10, 2025, and that the activity dates back to at least late November 2025; it identified a limited subset of appliances with certain ports open to the internet and said the investigation found evidence of a persistence mechanism. The company published observed exploitation activity, but it is not known how many customers are affected.
Observed post-exploitation activity includes deployment of tunneling tools and utilities such as ReverseSSH (AquaTunnel), Chisel, and a log-cleaning tool named AquaPurge, plus a lightweight Python backdoor called AquaShell. Cisco said the backdoor listens for unauthenticated HTTP POST requests containing encoded commands that it decodes and executes.
While a patch is pending, Cisco recommended steps to secure appliances, including restoring devices to a secure configuration, limiting internet access, placing devices behind a firewall to allow traffic only from trusted hosts, separating mail and management functionality onto distinct interfaces, monitoring web logs for unexpected traffic, disabling HTTP on the administrator portal and turning off unneeded services. The company also recommended using strong authentication and provided guidance on end-user authentication methods, and said rebuilding compromised appliances is currently the only reliable way to remove the adversary’s persistence.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog and requires federal civilian agencies to apply mitigations by Dec. 24, 2025; the action was posted as an add to the KEV catalog. Separately, the threat intelligence firm said it observed a coordinated credential-based campaign probing exposed enterprise VPN portals, with spikes in automated login attempts against GlobalProtect and Cisco SSL VPN endpoints.