Cisco has issued an urgent warning about an actively exploited zero day vulnerability affecting Cisco AsyncOS software. The flaw is being leveraged by a China aligned advanced persistent threat actor tracked as UAT 9686 in attacks against Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.
Cisco said it became aware of the intrusion campaign on December 10, 2025. The activity appears to be limited to a subset of appliances that have specific ports exposed to the internet, although the exact number of affected customers remains unknown. According to the company, successful exploitation allows attackers to execute arbitrary commands with root level privileges on the underlying operating system and establish persistence to retain long term control over compromised devices.
The vulnerability is tracked as CVE-2025-20393 and carries a CVSS score of 10.0. The issue stems from improper input validation, enabling threat actors to inject and execute malicious commands with elevated privileges. All versions of Cisco AsyncOS are affected. However, exploitation is only possible if the Spam Quarantine feature is enabled and accessible from the internet on either physical or virtual deployments of the affected appliances. Cisco noted that this feature is not enabled by default.
Cisco has confirmed that exploitation activity dates back to at least late November 2025. During the attacks, UAT 9686 deployed tunneling and persistence tools including ReverseSSH, also known as AquaTunnel, and Chisel, along with a log wiping utility called AquaPurge. The use of AquaTunnel has previously been linked to Chinese threat groups such as APT41 and UNC5174.
Attackers were also observed deploying a lightweight Python based backdoor named AquaShell. Cisco explained that AquaShell listens for unauthenticated HTTP POST requests containing specially crafted data. Once detected, the malware decodes the payload using a custom routine and executes the commands directly in the system shell.
As no official patch is currently available, Cisco has advised customers to immediately harden affected appliances. Recommended actions include restricting internet exposure, placing devices behind a firewall that only allows trusted hosts, separating mail handling and management interfaces, disabling HTTP access to the administrator portal, and closely monitoring web logs for suspicious activity. Cisco also urged organizations to disable unnecessary services, use strong authentication methods such as SAML or LDAP, and change default administrator credentials.
Cisco emphasized that if an appliance is confirmed to be compromised, a full rebuild is currently the only effective method to remove the attacker’s persistence mechanisms.
In response to the active exploitation, the Cybersecurity and Infrastructure Security Agency has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies are required to apply mitigations by December 24, 2025.
The disclosure coincides with new findings from GreyNoise, which reported a coordinated automated credential based campaign targeting enterprise VPN infrastructure. The activity focused on exposed Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.
According to GreyNoise, more than 10,000 unique IP addresses attempted automated logins against GlobalProtect portals in the United States, Pakistan, and Mexico on December 11, 2025. A similar surge in brute force attempts against Cisco SSL VPN endpoints was recorded the following day, originating from over 1,200 IP addresses. The firm noted that the campaign involved scripted login attempts rather than direct vulnerability exploitation, with consistent infrastructure and timing suggesting a single coordinated operation.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
