Cisco Warns of Unpatched Zero-Day Vulnerability in AsyncOS

Cisco has warned customers about an unpatched zero-day vulnerability in Cisco AsyncOS that is already being actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) devices.

The vulnerability, assigned the identifier CVE-2025-20393, affects only Cisco SEG and Cisco SEWM devices with non-standard configurations. For a successful attack, the spam quarantine feature must be enabled and accessible via the internet.

Attribution and Threat Actor Activity

Cisco Talos experts believe a Chinese hacker group, tracked under the codename UAT-9686, is behind the exploitation of this bug to execute arbitrary commands with root privileges.

The group deploys persistent backdoors called AquaShell, the AquaTunnel and Chisel malware for establishing reverse SSH tunnels in victims' systems, and uses a log-clearing tool named AquaPurge. Indicators of compromise have been published on GitHub.

AquaTunnel and other malware involved in these attacks have previously been linked to other Chinese groups, including UNC5174 and APT41.

"With moderate confidence, we assess that the actor we are tracking as UAT-9686 is a Chinese APT group whose tools and infrastructure are linked to other Chinese cyber attack groups," the Cisco Talos report states. "As part of this activity, UAT-9686 deploys its own persistence mechanism, which we track as AquaShell, and also employs additional tools designed for reverse tunneling and log clearing."

Although the attacks were detected on December 10, 2025, researchers believe the malicious campaign has been ongoing since at least late November.

Mitigation Recommendations

"If the device's management web interface or the spam quarantine port is found to be open and accessible via the internet, Cisco strongly recommends, if possible, performing a multi-step procedure to restore the device's secure configuration," the developers warn.

Since patches are not yet available, the company advises administrators to secure and restrict access to vulnerable devices. Recommendations include limiting internet access, restricting connections to trusted hosts only, and placing devices behind firewalls to filter traffic. Additionally, administrators should separate mail processing and management functions, monitor network logs for unusual activity, and retain logs for potential investigations.

Cisco also recommends disabling unnecessary services, keeping systems up to date, implementing robust authentication methods such as SAML or LDAP, changing default passwords, and using SSL or TLS certificates to protect management traffic.

Customers who wish to check if their devices have been compromised should open a case with the Cisco Technical Assistance Center (TAC).