Cisco Warns of Active Exploitation of Zero-Day Vulnerability in Email Security Appliances

Cisco has issued an urgent alert about a maximum-severity zero-day flaw in its AsyncOS software that is actively being exploited by a China-linked threat actor in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.

The vulnerability, tracked as CVE-2025-20393 with a critical CVSS score of 10.0, allows attackers to execute arbitrary commands with root privileges on affected systems. Cisco detected the intrusion campaign on December 10 after identifying a "limited subset of appliances" with specific ports exposed to the internet.

Attack Details and Threat Actor Attribution

The exploitation, which began in late November 2025, has been attributed to a China-nexus advanced persistent threat (APT) group codenamed UAT-9686. This group has been utilizing the vulnerability to deploy various malicious tools, establishing persistence in compromised systems.

"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco stated in its advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances."

The attackers have deployed several tools in their campaign, including:

• ReverseSSH (also known as AquaTunnel) – A tunneling tool previously linked to Chinese hacking groups like APT41 and UNC5174
• Chisel – Another tunneling utility for maintaining access
• AquaPurge – A log cleaning tool designed to hide evidence of intrusion
• AquaShell – A lightweight Python backdoor capable of receiving encoded commands and executing them on the system

The AquaShell backdoor is particularly concerning as it "listens passively for unauthenticated HTTP POST requests containing specially crafted data," according to Cisco. When it identifies such a request, it decodes the contents using a custom routine and executes the commands in the system shell.

This incident demonstrates why implementing comprehensive zero-day attack prevention strategies is essential for organizations of all sizes.

Vulnerability Details and Affected Systems

The vulnerability (CVE-2025-20393) stems from improper input validation in the AsyncOS software, affecting all releases. However, exploitation requires specific conditions:

1. The appliance must have the Spam Quarantine feature enabled (not enabled by default)
2. The Spam Quarantine feature must be exposed to and reachable from the internet

To determine if your system is vulnerable, Cisco recommends checking if Spam Quarantine is enabled by:

1. Connecting to the web management interface
2. Navigating to Network > IP Interfaces > [Select the Interface] (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces > [Select the interface] (for Secure Email and Web Manager)
3. Checking if the Spam Quarantine option is enabled

Exploitation Timeline and Impact Assessment

Security researchers have noted that the exploitation timeline—beginning in late November and discovered in mid-December—gave attackers approximately two weeks of undetected access to vulnerable systems. During this period, affected organizations may have experienced:

• Data exfiltration from email systems
• Credential harvesting
• Lateral movement within networks
• Installation of additional persistence mechanisms

Organizations should conduct thorough forensic analysis to identify potential compromise beyond the immediate affected systems. According to the CISA guidelines on incident response, examining network traffic logs for suspicious connections to known command-and-control servers is a critical first step.

Mitigation Recommendations

In the absence of a security patch, Cisco has provided several mitigation strategies:

• Restore appliances to a secure configuration
• Limit internet access to the devices and secure them behind a firewall
• Separate mail and management functionality onto different network interfaces
• Monitor web log traffic for unexpected activity
• Disable HTTP for the main administrator portal
• Turn off unnecessary network services
• Implement strong authentication methods like SAML or LDAP
• Change default administrator passwords

Important note: Cisco emphasizes that for confirmed compromises, "rebuilding the appliances is, currently, the only viable option to eradicate the threat actor's persistence mechanism."

Organizations should prioritize the implementation of robust email security compliance measures to protect against similar threats in the future.

Advanced Detection Techniques

Security teams should implement enhanced monitoring specifically targeting the indicators of compromise associated with this attack. Key detection points include:

• Unusual outbound connections from email appliances
• Unexpected HTTP POST requests to email gateways
• Command execution patterns consistent with the AquaShell backdoor
• Modifications to system files and logs that might indicate AquaPurge activity

Implementing network segmentation and monitoring tools that can detect lateral movement attempts will significantly improve detection capabilities even if initial compromise occurs.

Government Response and Broader Threat Landscape

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. This action requires Federal Civilian Executive Branch agencies to implement necessary mitigations by December 24, 2025.

This alert comes amid other concerning cybersecurity developments. Threat intelligence firm GreyNoise has detected "a coordinated, automated credential-based campaign" targeting enterprise VPN infrastructure, specifically Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. Over 10,000 unique IP addresses have been observed attempting automated logins to GlobalProtect portals in the U.S., Pakistan, and Mexico on December 11, 2025. Similar brute-force login attempts against Cisco SSL VPN endpoints were recorded the following day.

According to attack surface management platform Censys, approximately 220 internet-exposed Cisco Secure Email Gateway instances are currently visible, though not all may be vulnerable to this specific attack.

The increasing sophistication and frequency of these attacks underscores the fundamental importance of maintaining robust cybersecurity practices across organizational infrastructure.

How Organizations Can Use This Information

Organizations using Cisco email security products should:

• Immediately check if their systems meet the vulnerability conditions outlined by Cisco
• Implement all recommended mitigations, particularly limiting internet exposure of the Spam Quarantine feature
• Review network logs for signs of compromise, especially unusual HTTP POST requests
• Prepare for potential system rebuilds if compromise is detected or suspected

Long-term Security Enhancements

Beyond addressing this specific vulnerability, organizations should consider implementing these additional security measures:

1. Develop an email security architecture review process that regularly assesses exposure and configuration of critical security appliances
2. Establish a vulnerability management program that prioritizes critical infrastructure components and includes regular penetration testing
3. Create incident response playbooks specifically for email security compromises that include containment, eradication, and recovery procedures
4. Implement continuous monitoring for unauthorized changes to security appliances using a centralized security information and event management (SIEM) solution

This incident highlights the ongoing sophistication of nation-state cyber operations and underscores the critical importance of proper network segmentation, continuous security monitoring, and prompt response to security advisories.