Cisco has released security updates to address a critical remote code execution vulnerability affecting Cisco AsyncOS Software used in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The patches arrive nearly one month after Cisco confirmed that the flaw was actively exploited as a zero day by a China linked advanced persistent threat group tracked as UAT 9686.
The vulnerability is identified as CVE-2025-20393 and carries a CVSS score of 10.0, indicating maximum severity. The issue stems from insufficient validation of HTTP requests within the Spam Quarantine feature. If successfully exploited, the flaw allows attackers to execute arbitrary commands with root level privileges on affected appliances.
Conditions Required for Exploitation
Cisco stated that exploitation is only possible when all of the following conditions are met:
- The appliance is running a vulnerable version of Cisco AsyncOS Software
- The Spam Quarantine feature is enabled
- The Spam Quarantine feature is exposed and reachable from the internet
When these conditions are present, attackers can remotely compromise the system without authentication.
Active Exploitation by UAT 9686
Cisco previously disclosed that it observed UAT 9686 exploiting this vulnerability as early as late November 2025. The attackers used the access to deploy tunneling tools such as ReverseSSH, also known as AquaTunnel, and Chisel, along with a log cleaning utility named AquaPurge.
The attack campaign also involved a lightweight Python based backdoor called AquaShell, which is capable of receiving encoded commands and executing them on the compromised system.
Patched Software Versions
Cisco has released fixes across multiple AsyncOS versions and has also removed persistence mechanisms that were planted during the attack campaign.
Cisco Secure Email Gateway
- AsyncOS Release 14.2 and earlier, fixed in 15.0.5 016
- AsyncOS Release 15.0, fixed in 15.0.5 016
- AsyncOS Release 15.5, fixed in 15.5.4 012
- AsyncOS Release 16.0, fixed in 16.0.4 016
Cisco Secure Email and Web Manager
- AsyncOS Release 15.0 and earlier, fixed in 15.0.2 007
- AsyncOS Release 15.5, fixed in 15.5.4 007
- AsyncOS Release 16.0, fixed in 16.0.4 010
Security Hardening Recommendations
In addition to applying patches, Cisco strongly advises customers to follow additional hardening measures. These include restricting access from untrusted networks, placing appliances behind a firewall, and monitoring web logs for unexpected inbound or outbound traffic.
Cisco also recommends disabling HTTP access to the main administrator portal, turning off unnecessary network services, enforcing strong authentication mechanisms such as SAML or LDAP, and changing default administrator credentials to more secure passwords.
Organizations running Cisco Secure Email solutions are urged to apply updates immediately, as the vulnerability enables full system compromise and has already been exploited in real world attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
