Cisco AsyncOS 0-Day Actively Exploited: Mitigate Now

Cisco AsyncOS 0-Day Actively Exploited: Mitigate Now
December 18, 2025 at 12:00 AM

Cisco has confirmed active exploitation of a maximum-severity zero-day in AsyncOS powering Secure Email Gateway and Secure Email and Web Manager. Tracked as CVE-2025-20393 (CVSS 10.0), the flaw allows root-level command execution and persistence on affected appliances. The activity is attributed to China-nexus APT UAT-9686 and dates back to late November 2025. No patch is available at publication.

What’s affected

  • All releases of Cisco AsyncOS used by Secure Email Gateway and Secure Email and Web Manager.

Exploitation prerequisites

  • Spam Quarantine is enabled.
  • The Spam Quarantine service is reachable from the internet.
    Note: Spam Quarantine is off by default.

How to check if Spam Quarantine is enabled

  • Log in to the web management interface.
  • Secure Email Gateway: Network > IP Interfaces > select the interface configured for Spam Quarantine.
  • Secure Email and Web Manager: Management Appliance > Network > IP Interfaces > select the interface configured for Spam Quarantine.
  • If the Spam Quarantine option is checked, it is enabled.

Attacker tactics, tools, and malware

  • Root command execution and persistence on compromised appliances.
  • Tunneling tools: ReverseSSH/AquaTunnel and Chisel.
  • Log cleaner: AquaPurge.
  • Backdoor: AquaShell (listens for unauthenticated HTTP POSTs with encoded payloads, decodes, and executes them in the system shell).

Timeline

  • Late Nov 2025: Exploitation observed in the wild.
  • Dec 10, 2025: Cisco identifies the campaign and begins investigation.
  • Patch: Not yet available.

Immediate mitigations (apply now)

  • Restore appliances to a secure baseline configuration.
  • Remove direct internet exposure; place behind a firewall and allow access only from trusted hosts.
  • Separate mail and management onto different network interfaces.
  • Disable HTTP for the main admin portal; require HTTPS.
  • Turn off any unnecessary network services.
  • Enforce strong authentication (e.g., SAML or LDAP) and change default admin credentials.
  • Monitor web and system logs for anomalies, unexpected tunnels, or artifacts tied to AquaShell, AquaTunnel, Chisel, and AquaPurge.

If compromise is confirmed

  • Fully rebuild the appliance to remove persistence.

Regulatory update

  • CISA added CVE-2025-20393 to the KEV catalog. U.S. FCEB agencies must apply mitigations by December 24, 2025.

Related but separate activity

  • GreyNoise reports a coordinated, automated credential-based campaign against enterprise VPN portals (Cisco SSL VPN and Palo Alto Networks GlobalProtect).
  • Over 10,000 IPs attempted logins to GlobalProtect portals (U.S., Pakistan, Mexico) on Dec 11, 2025; 1,273 IPs targeted Cisco SSL VPNs on Dec 12, 2025.
  • These are large-scale scripted login attempts, not exploitation of a specific vulnerability.

Action needed: Prioritize mitigations if Spam Quarantine is internet-exposed, hunt for the listed tools and backdoor behaviors, and be prepared to rebuild appliances if compromise is suspected.

Source: The Hacker News

Back…