Cisco Issues Warning About Actively Exploited Zero-Day Flaw in AsyncOS Email Security

Cisco has issued an alert regarding a critical zero-day vulnerability present in its AsyncOS software. The flaw, actively exploited, impacts Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. A China-nexus advanced persistent threat (APT) actor, tracked as UAT-9686, is believed to be behind the attacks.

The networking giant first detected the intrusion campaign on December 10, 2025. Their investigation has pinpointed a limited number of appliances exposed to the internet via specific open ports as targets. The exact number of affected customers remains unknown.

According to Cisco's advisory, successful exploitation of this vulnerability allows attackers to execute arbitrary commands with root privileges on the appliance's operating system. The investigation also uncovered evidence of a persistence mechanism installed by the attackers, allowing them to maintain control over compromised systems.

The unpatched vulnerability, identified as CVE-2025-20393, has a maximum severity CVSS score of 10.0. The root cause is improper input validation, which enables threat actors to run malicious code with elevated privileges.

All versions of Cisco AsyncOS Software are affected. That said, the reality is a bit more complicated. successful exploitation requires specific conditions to be met on both physical and virtual appliances of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager:

• The Spam Quarantine feature must be enabled.
• The Spam Quarantine feature must be accessible from the internet.

Note that the Spam Quarantine feature is disabled by default. Users can verify its status by:

1. Connecting to the web management interface.
2. Navigating to Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured] (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured] (for Secure Email and Web Manager).
3. Checking if the Spam Quarantine option is enabled.

Cisco's investigation revealed exploitation activity dating back to at least late November 2025. UAT-9686 has been observed using the vulnerability to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, along with a log cleaning utility named AquaPurge. Prior use of AquaTunnel has been linked to Chinese hacking groups including APT41 and UNC5174.

The attacks also involve a lightweight Python backdoor called AquaShell. This backdoor passively listens for unauthenticated HTTP POST requests containing specially crafted data. Upon receiving such a request, AquaShell attempts to decode and execute the contents within the system shell.

Until a patch is available, Cisco recommends restoring appliances to a secure configuration. This includes limiting internet access, securing devices behind a firewall to restrict traffic to trusted hosts, separating mail and management functions onto different network interfaces, and monitoring web logs for unusual activity. Disabling HTTP for the main administrator portal is also advised.

Additional recommendations include disabling unnecessary network services, employing strong end-user authentication methods like SAML or LDAP, and changing the default administrator password to a more secure one.

Cisco states that in cases of confirmed compromise, rebuilding the appliances is currently the only reliable method to eliminate the threat actor's persistence mechanism.

In response to this threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. This requires Federal Civilian Executive Branch (FCEB) agencies to implement necessary mitigations by December 24, 2025, to protect their networks.

This disclosure arrives alongside reports from GreyNoise of a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure. This campaign specifically probes exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

On December 11, 2025, over 10,000 unique IP addresses were estimated to be involved in automated login attempts against GlobalProtect portals in the U.S., Pakistan, and Mexico, utilizing common username and password combinations. A similar surge in brute-force login attempts has been observed against Cisco SSL VPN endpoints as of December 12, 2025, originating from 1,273 IP addresses.

GreyNoise clarified that this activity reflects large-scale scripted login attempts rather than vulnerability exploitation. The consistent infrastructure usage and timing suggest a single campaign targeting multiple VPN platforms.