Threat actors are exploiting a zero-day vulnerability in Cisco AsyncOS software, which is a critical component of the company’s email security appliances used by enterprises. Cisco warned of the flaw and exploitation activity on Wednesday–and said that currently no patches or workarounds are available. 

The vulnerability (CVE-2025-20393) is linked to the Spam Quarantine feature in AsyncOS, which is formerly known as Cisco Email Security Appliance and Cisco Secure Email and Web Manager. It’s important to note that this feature is not enabled by default. However, threat actors are already exploiting the improper input validation flaw (with a CVSS score of 10 out of 10) to target a “limited subset of appliances with certain ports open to the internet” that are running AsyncOS Software.

“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” according to Cisco in a Wednesday security advisory. “The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.”

In a separate advisory, Cisco Talos researchers detailed the exploitation activity linked to the vulnerability. Cisco said its team first became aware of the malicious activity on December 10, during an investigation into a Cisco support case–but the campaign appears to date back to at least late November. 

As part of the attacks, researchers said attackers executed system-level commands and deployed various tools, including a persistent Python-based backdoor (AquaShell) that receives encoded commands and executes them in the system shell. Researchers also observed other tools across attacks, including a reverse SSH tunnel (AquaTunnel), an open-source tunneling tool called Chisel, and a log-clearing utility (AquaPurge). 

Researchers assessed with “moderate confidence” that the threat actor (tracked by Talos as UAT-9686) behind the activity is a Chinese APT actor. The tool use and infrastructure are consistent with other Chinese threat groups, researchers said. 

“We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks,” according to Talos researchers in a Wednesday analysis. “Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.”

Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances are vulnerable when they are configured with the Spam Quarantine feature, and when this feature is exposed to and reachable from the internet. Cisco urged customers to determine whether this feature is enabled on potentially impacted appliances:

  • Cisco Secure Email Gateway Appliance customers should navigate to the menu on the web management interface: Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured]
  • Cisco Secure Email and Web Manager Appliance customers should navigate to the menu on the web management interface: Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured

Customers can verify if an appliance has been compromised by opening a Cisco support case; if appliances are vulnerable, Cisco strongly recommended restoring the appliance to a secure configuration via a multi-step process, which includes preventing access from the internet to the appliance.  

  • Recent Posts

  • Recent Comments

    No comments to show.