Cisco has disclosed a maximum-severity zero-day vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS software for Secure Email Gateway and Secure Email and Web Manager appliances. A China-nexus APT group (tracked as UAT-9686) actively exploits the flaw in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply mitigations by December 24, 2025.
The vulnerability arises from improper input validation in the Spam Quarantine web interface. An unauthenticated remote attacker can send crafted requests to execute arbitrary commands with root privileges on the appliance’s operating system. Exploitation requires the Spam Quarantine feature to be enabled and exposed to the internet (not default, but common in misconfigurations). Attacks began in late November 2025, with attackers deploying persistence tools like AquaShell (Python backdoor) and tunneling utilities (ReverseSSH/Chisel). Cisco Talos attributes the campaign to UAT-9686 with moderate confidence, showing ties to Chinese state-sponsored activity.
This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance
Cisco Product Security Incident Response Team (PSIRT)
Read the full Cisco advisory here: