December 26th, 2025

Critical Cisco AsyncOS Zero-Day (CVE-2025-20393) Actively Exploited to Gain Root-Level Access on Secure Email Appliances

Critical

Our Cyber Threat Intelligence Unit is monitoring a critical, maximum-severity zero-day vulnerability (CVE-2025-20393) in Cisco AsyncOS Software used in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. This vulnerability allows unauthenticated remote command execution with root-level privileges on affected appliances and is currently under active exploitation in the wild, with malicious activity observed since late November 2025. Cisco attributes the campaign to threat actor UAT-9686, which is selectively targeting internet-exposed appliances with the Spam Quarantine feature enabled and externally reachable. Successful exploitation has resulted in the deployment of custom backdoors, tunneling utilities, and log-clearing tools to establish stealthy, persistent access to email security infrastructure. Given the confirmed exploitation, root-level control, and the critical role of these systems in enterprise mail processing, this vulnerability poses severe operational and confidentiality risks. Cisco has confirmed that, in cases of confirmed compromise, a complete appliance rebuild is currently the only viable remediation to remove attacker persistence.

Technical Details

Attack Type: Remote, unauthenticated command execution with root-level privileges against Cisco AsyncOS Software.
Severity: Critical (CVSS 10.0)
CVE ID: CVE-2025-20393
Affected Products:
- Cisco Secure Email Gateway (Physical & Virtual).
- Cisco Secure Email and Web Manager (Physical & Virtual).
- Underlying Cisco AsyncOS Software.
Exploitation Preconditions: Spam Quarantine must be enabled, and the Spam Quarantine interface must be reachable from the public internet.
Delivery Method: Attackers send crafted unauthenticated HTTPS requests to the publicly exposed Spam Quarantine interface to achieve RCE with root permissions.
Observed Evasion & Persistence:
- Activity blends with legitimate HTTPS traffic.
- Tunneling and log-wiping tools are deployed to conceal access and hinder investigation.
Post-Exploitation Tooling Identified:
- AquaShell: Lightweight Python backdoor that listens for unauthenticated HTTP POST requests, decodes payloads, and executes commands in the system shell.
- AquaTunnel (ReverseSSH-based): Covert reverse SSH tunneling utility.
- Chisel: TCP tunneling tool used for persistence and lateral access.
- AquaPurge: Log-cleaning utility used to remove forensic evidence.

Note: Due to confirmed exploitation, CISA has added CVE-2025-20393 to the Known Exploited Vulnerabilities (KEV) Catalog. The CISA deadline for federal agencies passed on December 24, 2025, highlighting the extreme urgency of this threat.

Impact

Successful exploitation allows attackers to:

Execute arbitrary system-level commands with root privileges.
Establish covert and persistent remote access.
Deploy tunneling infrastructure for command-and-control.
Remove logs to evade detection and hinder DFIR.
Maintain long-term control of email security infrastructure.

Note: Cisco advises that compromised appliances must be rebuilt to remove the attacker's persistence.

Detection Method

Review Spam Quarantine and web interface logs for abnormal entries.
Hunt for unauthorized Python scripts, tunneling tools, or unknown binaries.
Monitor for unexpected outbound network connections originating from SEG/SEWM appliances.
Identify evidence of log deletion or tampering.
Inspect for unsolicited HTTP POST traffic containing encoded payloads targeting exposed interfaces.

Indicators of Compromise

Type	Indicator
Hash	2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
Hash	145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
Hash	85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
IP	172[.]233[.]67[.]176
IP	172[.]237[.]29[.]147
IP	38[.]54[.]56[.]95

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Immediately restrict or disable external access to the Spam Quarantine interface.
Place SEG and SEWM appliances behind a firewall and allow access only from trusted management networks.
Separate mail-handling and management interfaces.
Disable HTTP access for administrator portals.
Disable unnecessary network services.
Rotate all administrative credentials.
Implement strong authentication controls (e.g., SAML or LDAP).
Assess appliances for compromise.
Rebuild compromised systems from a clean image.

Note: There are currently no patches or workarounds that fully address the vulnerability. Exposure reduction and forensic review are critical.

Conclusion

CVE-2025-20393 is a critical, actively exploited zero-day in Cisco AsyncOS powering Secure Email Gateway and Web Manager appliances. Exploitation allows unauthenticated attackers to gain root-level control and maintain stealthy persistence on high-value email security infrastructure. With confirmed operational use, we urge organizations to restrict external exposure immediately, apply Cisco-recommended mitigations, conduct a compromise assessment, and rebuild impacted systems to eradicate attacker access.

References

https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html

https://blog.talosintelligence.com/uat-9686/

https://cybersecuritynews.com/cisco-asyncos-0-day-vulnerability/

https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

https://socprime.com/blog/cve-2025-20393-vulnerability-exploitation/

https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/

https://www.techradar.com/pro/security/cisco-email-security-products-actively-targeted-in-zero-day-campaign

https://www.kroll.com/en/publications/cyber/unpatched-cisco-critical-zero-day-exploited-by-chinese-nexus-actors

https://nvd.nist.gov/vuln/detail/CVE-2025-20393

https://www.cve.org/CVERecord?id=CVE-2025-20393