Cisco finally fixes AsyncOS zero-day exploited since November

​Cisco has finally patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025.

As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.

“Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said.

Detailed instructions for upgrading vulnerable appliances to a fixed software version are available in this security advisory.

Cisco Talos, the company’s threat intelligence research team, believes that a Chinese hacking group tracked as UAT-9686 is likely behind attacks abusing the flaw to execute arbitrary commands with root privileges.

While investigating the attacks, Cisco Talos observed the threat actors deploying AquaShell persistent backdoors, AquaTunnel and Chisel reverse-SSH tunnel malware implants, and the AquaPurge log-clearing tool to wipe traces of their malicious activity.

AquaTunnel and other malicious tools deployed in this campaign have also been linked in the past to other Chinese state-backed threat groups, such as APT41 and UNC5174.

“We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups,” Cisco Talos said.

“As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs.”

CISA has also added CVE-2025-20393 to its catalog of known exploited vulnerabilities on December 17, ordering federal agencies to secure their systems using Cisco’s guidance within a week, by December 24, as mandated by Binding Operational Directive (BOD) 22-01.

“Please adhere to Cisco’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Cisco products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as they become available,” CISA said.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

7 Security Best Practices for MCP

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

This free cheat sheet outlines 7 best practices you can start using today.

Download Now