Cisco AsyncOS Under Siege: Zero-Day Remote Code Execution Threatens Secure Email Appliances

Critical Zero-Day Exploited in Cisco Secure Email Appliances (CVE‑2025‑20393) 

DTG Threat Intelligence is tracking active exploitation of CVE-2025-20393, a critical zero‑day vulnerability (CVSS 10.0) impacting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS. The flaw allows unauthenticated remote attackers to execute arbitrary commands with root privileges, resulting in complete system compromise. 

Analysis links attacks to China‑based threat actors, including UAT‑9686, UNC5174, and APT41, who are leveraging the vulnerability to implant persistent malware, exfiltrate credentials, and expand into targeted enterprise networks. 

The Vulnerability: Improper Input Validation Enables Full Takeover 

CVE‑2025‑20393 stems from improper input validation (CWE‑20) in Cisco AsyncOS. The issue is exploitable when the Spam Quarantine web interface is enabled and accessible from the public internet. Although this configuration is not enabled by default, some organizations have deployed appliances in exposed or misconfigured states. 

This exposure allows an attacker to send malicious input to the Spam Quarantine process, achieving root‑level command execution. Once compromised, adversaries have been observed: 

• Executing arbitrary commands as root 

• Installing persistent backdoors (AquaShell) 

• Establishing covert tunnels (AquaTunnel, Chisel) 

• Manipulating or deleting logs to evade detection (AquaPurge) 

• Moving laterally and exfiltrating sensitive organizational data 

Affected Products and Scope 

Exploitation affects any deployment where Spam Quarantine is both enabled and internet‑facing, specifically: 

• Cisco Secure Email Gateway (physical and virtual) 

• Cisco Secure Email and Web Manager (physical and virtual) 

• All releases of Cisco AsyncOS for the above appliances 

Not affected: Cisco Secure Email Cloud and Cisco Secure Web solutions. 

Ongoing Exploitation 

Initial exploitation was observed on December 10, 2025, with indicators suggesting attacks may have begun in late November. Cisco Talos and independent researchers report the use of both custom malware and open‑source tunneling tools to establish persistence and data exfiltration. 

The campaign exhibits hallmarks of Chinese APT tradecraft, with infrastructure and payloads consistent with historic APT41 operations. CISA has added CVE‑2025‑20393 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating U.S. federal agencies to patch no later than December 24, 2025. 

DTG’s telemetry corroborates scanning and exploit activity against publicly reachable Cisco appliances globally, predominantly affecting enterprises with hybrid or co‑located environments. 

Business Impact 

1. Remote Code Execution and Full Administrative Access Attackers can gain complete control of affected email gateways, manipulate or intercept mail flow, and leverage compromised appliances as pivot points into internal systems. 

2. Persistence and Stealth Advanced backdoors and log‑cleaning utilities facilitate long‑term, covert access. 

3. High‑Value Targeting Organizations relying on Cisco Secure Email for core business communications face significant risk of data exposure, disruption, or espionage. 

DTG Recommendations 

Immediate Actions for All Cisco AsyncOS Users 

Restrict Exposure 

• Audit all Cisco Secure Email and Web Manager appliances. 

• Ensure the Spam Quarantine feature is disabled or not reachable from the public internet. 

• Limit administrative access to trusted internal networks only. 

Apply Patches 

• Cisco has released patches to remediate this vulnerability. Install updates immediately. 

• Continue monitoring Cisco Security Advisories for further mitigations. 

Monitor and Detect Compromise 

• Review email gateway and quarantine logs for unauthorized access attempts. 

• Apply Cisco Talos IOCs to identify indicators of compromise or lateral activity. 

Incident Response Actions 

• If compromise is suspected, open a Cisco TAC case and notify security operations teams. 

• For confirmed compromise, rebuild affected appliances to remove persistence mechanisms. 

Harden Network Perimeters 

• Deploy appliances behind firewalls with tightly controlled access rules. 

• Implement layered network monitoring, IDPS coverage, and strict segmentation. 

• Consider temporary isolation or decommissioning of unpatched assets. 

DTG’s Incident Response and Threat Management units are actively investigating this campaign across monitored customer ecosystems. Clients leveraging DTG Wirespeed or Pegasos can request an immediate telemetry review or compromise assessment via standard support channels. 

Do not wait for an exploit attempt, contact DTG now to validate exposure and accelerate patching efforts. 

References 

  NVD - CVE-2025-20393  

  Cisco Security Advisory 

  Integrity360 Threat Advisory  

  SecurityWeek  

  Feedly CVE-2025-20393  

  CERT-EU Advisory