CVE-2025-20393 | Critical Zero-Day RCE in Cisco AsyncOS Actively Exploited

Aegiron 9 mins0

Executive Summary

CVE-2025-20393 is a critical, zero-day vulnerability in Cisco AsyncOS Software that affects Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw allows an unauthenticated remote attacker to execute arbitrary commands as root on affected systems.

This vulnerability has a CVSS score of 10.0, the highest possible severity, and is actively exploited in the wild. Cisco has confirmed exploitation by a China-linked advanced persistent threat (APT) group, tracked as UAT-9686.

At the time of writing, no security patch is available. Cisco has issued an interim advisory and strongly recommends immediate mitigation actions, including disabling the vulnerable feature or rebuilding compromised appliances.

Vulnerability Details

  • Vulnerability Name: Cisco AsyncOS Software Improper Input Validation
  • CVE ID: CVE-2025-20393
  • Severity: Critical
  • CVSS Score: 10.0
  • CVSS Vector:
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CWE: CWE-20 – Improper Input Validation
  • Advisory Status: Interim (No patch available)
  • Exploitability: Actively Exploited in the Wild

What Is the Issue?

The vulnerability exists due to improper input validation in the Spam Quarantine feature of Cisco AsyncOS. When this feature is exposed to the internet, an attacker can send specially crafted HTTP requests that bypass authentication and execute operating system commands with root privileges.

Because the commands run directly on the underlying OS, a successful exploit results in a full system compromise.

Affected Products and Versions

Affected Products

All versions of Cisco AsyncOS Software running on the following appliances are vulnerable:

  • Cisco Secure Email Gateway (Physical)
  • Cisco Secure Email Gateway (Virtual)
  • Cisco Secure Email and Web Manager (Physical)
  • Cisco Secure Email and Web Manager (Virtual)

Affected Versions

  • All AsyncOS releases are affected
    (Cisco has not identified any safe versions)

Products Not Affected

  • Cisco Secure Email Cloud (SaaS)
  • Cisco Secure Web (no observed exploitation)

Exploitation Prerequisites

Exploitation is only possible if both of the following conditions are met:

  1. Spam Quarantine feature is enabled
  2. Spam Quarantine is reachable from the internet

Important:
Spam Quarantine is not enabled by default, and Cisco deployment guides do not recommend exposing it directly to the internet. However, affected environments were found to have this configuration.

How the Vulnerability Is Exploited

Attack Vector

  • Remote network-based attack
  • No authentication required
  • Fully automated exploitation

Typical Attack Chain

  1. Attacker scans the internet for exposed SEG/SEWM appliances
  2. Identifies systems with Spam Quarantine enabled and exposed
  3. Sends crafted HTTP POST requests to the Spam Quarantine interface
  4. Executes OS-level commands as root
  5. Installs backdoors and tunneling tools
  6. Cleans logs to hide activity
  7. Maintains long-term covert access

Known Threat Actor

UAT-9686 (China-Nexus APT)

  • Attribution: Chinese advanced persistent threat group
  • Activity Observed Since: Late November 2025
  • Discovered by Cisco: December 10, 2025

Tactics, Techniques, and Procedures (TTPs)

PhaseTechnique
Initial AccessZero-day exploitation (CVE-2025-20393)
ExecutionRoot-level command execution
PersistenceBackdoors and SSH tunneling
Defense EvasionLog deletion and tampering
Command & ControlHTTP-based backdoor communications
ImpactFull compromise of email security infrastructure

Indicators of Compromise (IOCs)

Known Tools Deployed by Attackers

ToolPurpose
AquaShellPython-based HTTP backdoor
AquaTunnel (ReverseSSH)Persistent remote access
ChiselTCP/UDP tunneling
AquaPurgeLog cleaning and forensic evasion

Behavioral Indicators to Monitor

  • Unexpected outbound connections to unknown IPs
  • New or suspicious processes running as root
  • HTTP POST requests with encoded payloads to Spam Quarantine endpoints
  • Missing or modified system logs
  • Unauthorized configuration changes
  • Network traffic on unusual tunneling ports

How to Detect Exposure and Possible Compromise

Step 1: Check if Spam Quarantine Is Enabled

Cisco Secure Email Gateway (SEG)

  1. Log in to the web management interface
  2. Go to:
    Network → IP Interfaces → Select Interface
  3. Check if Spam Quarantine is enabled

Cisco Secure Email and Web Manager (SEWM)

  1. Log in to the web management interface
  2. Go to:
    Management Appliance → Network → IP Interfaces → Select Interface
  3. Check if Spam Quarantine is enabled

Step 2: Detection and Investigation Actions

Cisco recommends:

  • Review web access logs for suspicious requests
  • Monitor inbound and outbound traffic patterns
  • Forward logs to an external SIEM or log server
  • Open a Cisco TAC case and allow remote access for verification

Cisco TAC can explicitly confirm whether the appliance has been compromised.

Temporary Mitigation (No Patch Available)

Immediate Actions (Strongly Recommended)

  1. Disable the Spam Quarantine feature
  2. Block internet access to the appliance
  3. Place appliances behind firewalls with strict access controls
  4. If compromise is confirmed, rebuild the appliance
    • Reinstallation is currently the only reliable way to remove persistence

Hardening Recommendations

Network Security

  • Use firewall filtering and allow only trusted IPs
  • Deploy appliances in a layered DMZ architecture
  • Separate mail traffic and management interfaces

Service Configuration

  • Disable HTTP and FTP where not required
  • Use HTTPS only for management access
  • Upgrade to the latest AsyncOS version
  • Change all default passwords

Authentication

  • Use SAML or LDAP for access control
  • Create individual operator accounts
  • Restrict administrator privileges

Monitoring

  • Centralize logs
  • Retain logs long enough for investigations
  • Monitor regularly for anomalies

Patch Status and Official Advisory

Patch Availability

  • No patch is currently available

Advisory Status

  • Interim

Official Cisco Advisory (Patch & Updates Will Be Posted)

Cisco Security Advisory:
Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager

Advisory ID: cisco-sa-sma-attack-N9bf4
Bug ID: CSCws36549
Official Link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

This is the only official source that will list the patch once it becomes available.

Regulatory Impact

  • CISA KEV Catalog: Listed
  • Mandatory Action for U.S. FCEB Agencies:
    Mitigations required by December 24, 2025

Key Takeaways

  • This is a real-world, actively exploited zero-day
  • Exploitation results in full system takeover
  • No patch exists yet
  • Disabling Spam Quarantine or rebuilding is critical
  • Continuous monitoring and network isolation are essential

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.