Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Advisory ID: NCC-CSIRT-2025-029

Summary: 

Cisco has issued an urgent security advisory warning of active exploitation of a critical zero-day vulnerability (CVE-2025-20393) in its AsyncOS software, used on Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw has a CVSS score of 10.0, allowing unauthenticated remote code execution with root privileges when the Spam Quarantine feature is enabled and exposed to the internet, conditions present in some deployed environments.

Cisco Talos, the company’s threat intelligence team, has linked the ongoing attacks to a China-nexus advanced persistent threat actor tracked as UAT-9686, which has been active since at least November 2025. The actor uses the exploited systems to deploy persistent backdoors and tunneling tools, enabling deep, covert access.

Damage/Probability: Critical/High

Product(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Version(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Platform(s): 

Enterprise and government email security infrastructure using Cisco SEG or SEWM appliances.

Description: 

The vulnerability CVE-2025-20393 arises from improper input validation in the Spam Quarantine feature of Cisco AsyncOS. When the Spam Quarantine web interface is enabled and accessible from the internet, unauthenticated attackers can send crafted requests that bypass authentication and lead to arbitrary root code execution on the appliance.

Cisco became aware of active exploitation of this flaw on 10 December 2025 and has confirmed that victims include SEG and SEWM appliances with non-standard configurations (Spam Quarantine enabled and reachable externally).

The threat actor, tracked as UAT-9686, has deployed a toolkit comprising:
• AquaShell: a lightweight persistent backdoor used to maintain access.
• AquaTunnel (Reverse SSH): to facilitate secure reverse connections.
• Chisel: a TCP/UDP tunneling tool for flexible remote access.
• AquaPurge: a utility to clear logs and hinder forensic analysis.

Cisco Talos assesses attacker toolset and infrastructure are consistent with other Chinese-linked threat groups and note that similar implants have previously been attributed to UNC5174 and other state-aligned actors.

Threat Types: 

• Unauthenticated Remote Code Execution (RCE) via AsyncOS zero-day
• Deployment of persistent backdoors (e.g., AquaShell)
• Reverse SSH tunnels (e.g., AquaTunnel, Chisel)
• Log purging/evasion tools (e.g., AquaPurge)
• High-profile APT exploitation (espionage, persistent foothold)

Impacts: 

• Full appliance compromise: Exploitation can give attackers root-level control of Cisco email security devices.
• Email data exposure: Sensitive email traffic can be intercepted, modified, or exfiltrated.
• Persistent access: Backdoors and encrypted tunnels enable long-term remote access.
• Detection evasion: Log-wiping tools hinder detection and incident response.
• Espionage risk: APT exploitation raises the risk of targeted attacks on government, critical infrastructure, and enterprises.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Verify if Spam Quarantine is internet-exposed and restrict access via firewall, ACLs, or VPN.
• Temporarily disable Spam Quarantine where business operations allow.
• Restrict management interfaces (HTTP/HTTPS) to trusted networks only.q
• Enforce strong passwords, MFA for admin access, and disable unused services.
• Review web logs and admin activity for signs of exploitation.
• Hunt for reverse SSH tunnels and tools such as AquaShell, AquaTunnel, or Chisel.
• Monitor Cisco advisories and apply patches immediately when released.
• Enforce network segmentation to limit access to AsyncOS management services.
• Block direct internet access to the Spam Quarantine interface where possible.
• Monitor for RPC/HTTP POST abuse and reverse SSH activity.
• Harden management plane access and prepare for rapid patch deployment.

References:

• https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html

• https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-20393

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/

• //www.threads.com/@thehackernews/post/DSZBprQj5M5">https://www.threads.com/@thehackernews/post/DSZBprQj5M5

• https://feedly.com/cve/CVE-2025-20393