Exploits

Cisco AsyncOS Zero‑Day Actively Exploited in Real‑World APT Attacks

Published  ·  4 min read

Cisco has confirmed active exploitation of a maximum severity zero day vulnerability affecting Cisco AsyncOS, the operating system behind Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.

According to Cisco, the attacks are being carried out by a China linked advanced persistent threat (APT) group tracked as UAT 9686. The company became aware of the campaign on December 10, 2025, after detecting signs of compromise on a limited number of exposed appliances. Exactly how many organizations are affected remains unclear.

What makes this incident particularly serious is the level of access attackers gain.
“This attack allows threat actors to execute arbitrary commands with root privileges on the underlying operating system,” Cisco stated, adding that investigators also found evidence of persistent backdoors designed to survive reboots and maintain long term access.

What Is CVE 2025 20393?
The vulnerability, named CVE-2025-20393, has a CVSS score of 10.0, which is the highest CVSS score. It essentially deals with the improper input validation vulnerability, which results in the ability to execute commands with the root privilege.

Exploitation Conditions
For both physical and virtual appliances, the following must be true:
1. The Spam Quarantine feature is enabled
2. Spam Quarantine is exposed to the internet

The good news is that Spam Quarantine is not enabled by default. The bad news is that many organizations enable it for convenience and forget it’s publicly reachable.

Cisco advises administrators to verify their configuration by navigating to the network interface settings in the web management console and checking whether Spam Quarantine is enabled on any internet facing interface.

How the Attacks Work
Cisco’s investigation shows that exploitation has been happening since at least late November 2025.
Once attackers gain access, they deploy a familiar toolkit:
1. ReverseSSH (AquaTunnel) and Chisel for tunneling and remote access
2. AquaPurge, a log cleaning utility to erase forensic traces
3. A lightweight Python backdoor called AquaShell

AquaShell is particularly stealthy. It passively listens for unauthenticated HTTP POST requests containing specially crafted data. When triggered, it decodes the payload and executes commands directly in the system shell, no login required.
Cisco noted that AquaTunnel has previously been linked to Chinese threat groups such as APT41 and UNC5174, strengthening the attribution confidence.

No Patch Yet, What Should Organizations Do?
At the time of disclosure, no patch is available.
Cisco recommends immediate defensive actions:
1. Restrict internet access to affected appliances
2. Place devices behind a firewall allowing traffic only from trusted hosts
3. Separate mail and management services onto different network interfaces
4. Disable HTTP access to the main admin portal
5. Monitor web logs for unexpected or suspicious requests
6. Disable unnecessary network services
7. Enforce strong authentication (SAML or LDAP)
8. Change default administrator passwords

For organizations that confirm a compromise, Cisco is blunt:
Rebuilding the appliance is currently the only way to fully remove the attacker’s persistence.

Government Response and Broader Threat Activity
The severity of the issue prompted CISA to add CVE 2025 20393 to its Known Exploited Vulnerabilities (KEV) catalog. U.S. federal agencies are required to apply mitigations by December 24, 2025.

At the same time, threat intelligence firm GreyNoise reported a surge in automated credential stuffing attacks targeting enterprise VPN portals, including Cisco SSL VPN and Palo Alto Networks GlobalProtect.

More than 10,000 unique IP addresses were observed attempting logins against GlobalProtect portals across multiple countries in a single day. Cisco SSL VPN endpoints experienced similar spikes shortly afterward.

GreyNoise emphasized that these were credential based attacks, not vulnerability exploits, but the timing underscores a broader trend: attackers are aggressively probing enterprise perimeter infrastructure from every angle.

This incident is a reminder that edge appliances are high value targets. A single exposed feature especially one running as root can turn a trusted security product into an entry point for nation state attackers.
If you’re running Cisco Secure Email Gateway or Secure Email and Web Manager, now is the time to audit exposure, lock down access, and assume attackers are already scanning.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067