Cisco has issued a critical alert regarding a maximum-severity zero-day vulnerability, CVE-2025-20393, in its AsyncOS software. This flaw, actively exploited by a China-linked advanced persistent threat (APT) actor codenamed UAT-9686, affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The exploitation campaign, detected by Cisco on December 10, 2025, targets a specific subset of internet-exposed appliances, though the exact number of affected customers remains unknown.
Critical Cisco AsyncOS Zero-Day Vulnerability Exploited by APT Actor
The discovered intrusion campaign allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of vulnerable appliances. Cisco’s ongoing investigation has uncovered evidence of a persistence mechanism deployed by the actors to maintain unauthorized control over compromised systems. This vulnerability carries a CVSS score of 10.0, indicating its extreme severity.
The flaw, CVE-2025-20393, stems from improper input validation. Successful exploitation requires the appliance to be configured with the Spam Quarantine feature, and for this feature to be reachable from the internet. It is important to note that the Spam Quarantine feature is not enabled by default. Users can verify its status by checking the web management interface under Network > IP Interfaces (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces (for Secure Email and Web Manager), and confirming if the “Spam Quarantine” option is checked.
Cisco’s analysis indicates that exploitation activity commenced as early as late November 2025. The APT actor UAT-9686 has been observed weaponizing this vulnerability to deploy tools such as ReverseSSH, also known as AquaTunnel, and Chisel. Additionally, a log cleaning utility named AquaPurge and a lightweight Python backdoor called AquaShell have been deployed. The use of AquaTunnel has previously been associated with Chinese hacking groups, including APT41 and UNC5174. AquaShell is designed to passively receive and execute encoded commands via unauthenticated HTTP POST requests.
In the absence of an immediate patch, Cisco has provided several interim mitigation strategies. Customers are advised to restore their appliances to a secure configuration, restrict internet access, and secure devices behind a firewall allowing traffic only from trusted hosts. Separating mail and management functionality onto distinct network interfaces is also recommended, alongside vigilant monitoring of web log traffic for anomalies. Disabling HTTP for the main administrator portal and turning off any non-essential network services are further protective measures.
Furthermore, the use of strong end-user authentication methods like SAML or LDAP, and changing default administrator passwords to more secure variants, are crucial steps. Cisco stated that in cases of confirmed compromise, rebuilding the affected appliances is currently the only definitive method to eradicate the threat actor’s persistence mechanisms.
CISA Mandates Mitigation for Federal Agencies
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that Federal Civilian Executive Branch (FCEB) agencies implement necessary mitigations by December 24, 2025, to safeguard their networks.
This disclosure follows a separate report from GreyNoise, which identified a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure. This campaign specifically probed exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. On December 11, 2025, over 10,000 unique IP addresses were observed attempting automated logins to GlobalProtect portals in the U.S., Pakistan, and Mexico, utilizing common username and password combinations. A similar spike in opportunistic brute-force login attempts against Cisco SSL VPN endpoints was recorded on December 12, 2025, originating from 1,273 IP addresses. GreyNoise clarified that this activity represents large-scale scripted login attempts rather than vulnerability exploitation, with consistent infrastructure usage and timing suggesting a single campaign that is pivoting across multiple VPN platforms.
The immediate concern for organizations rests on Cisco’s ability to release a patch and for users to apply it diligently. The mandated deadline for federal agencies to mitigate CVE-2025-20393 highlights the urgency of the situation. Other organizations should closely monitor Cisco’s advisories and implement the recommended interim measures. The concurrent VPN targeting incidents underscore the evolving threat landscape and the importance of robust network security practices.