Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Cisco Issues Patch for AsyncOS Zero-Day Exploit Targeting Secure Email Gateway Appliances


Cisco has issued a patch to address a severe zero-day vulnerability (CVE-2025-20393) that has been exploited in attacks against their Secure Email Gateway appliances since November 2025. The company's threat intelligence research team believes that a Chinese hacking group is likely behind the malicious activities, and organizations must take immediate action to assess their exposure and mitigate any potential risks.

  • Cisco has released a patch to address CVE-2025-20393, a severe vulnerability in Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
  • The vulnerability allows threat actors to execute arbitrary commands with root privileges, potentially gaining unauthorized access to sensitive data.
  • The UAT-9686 Chinese hacking group is believed to be behind the malicious activities, which have been linked to other state-backed threat groups like APT41 and UNC5174.
  • Timely patching and prioritizing cybersecurity efforts are crucial to prevent exploitation of this vulnerability.
  • Organizations using Cisco SEG or SEWM appliances must assess their exposure to the vulnerability and take immediate action to mitigate potential risks.



    • Cisco has finally released a patch to address a severe vulnerability (CVE-2025-20393) that has been exploited in attacks against their Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. The company's threat intelligence research team, Cisco Talos, believes that a Chinese hacking group tracked as UAT-9686 is likely behind these malicious activities.

    The vulnerability, which affects only Cisco SEG and SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet, allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. This means that attackers can potentially gain unauthorized access to sensitive data and wreak havoc on the compromised systems.

    According to Cisco Talos, the UAT-9686 group has been using various malicious tools in their campaigns, including AquaShell persistent backdoors, AquaTunnel and Chisel reverse-SSH tunnel malware implants, and the AquaPurge log-clearing tool to wipe traces of their malicious activity. These tools have also been linked to other Chinese state-backed threat groups, such as APT41 and UNC5174.

    The fact that this vulnerability was exploited in attacks since November 2025 highlights the importance of timely patching and the need for organizations to prioritize their cybersecurity efforts. Cisco has provided detailed instructions for upgrading vulnerable appliances to a fixed software version, which can be found in their security advisory.

    In addition to the vulnerability itself, the situation also raises concerns about the role of nation-state actors in cybercrime. The involvement of a Chinese hacking group and its alleged links to other state-backed threat groups underscores the need for increased vigilance and cooperation among governments and cybersecurity experts to combat these types of threats.

    The exploitation of this vulnerability by malicious actors also serves as a reminder of the importance of robust security measures, such as proper configuration and patching, to protect against zero-day exploits. Furthermore, it highlights the need for organizations to stay informed about emerging vulnerabilities and to take prompt action to address them.

    In light of these developments, it is essential for organizations that use Cisco SEG or SEWM appliances to assess their exposure to this vulnerability and take immediate action to mitigate any potential risks. By following Cisco's guidance and applying any final mitigations provided by the vendor as soon as they become available, organizations can reduce the risk of further exploitation and protect their sensitive data.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Cisco-Issues-Patch-for-AsyncOS-Zero-Day-Exploit-Targeting-Secure-Email-Gateway-Appliances-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/

  • https://threatprotect.qualys.com/2025/12/18/cisco-releases-fix-for-actively-exploited-zero-day-vulnerability-cve-2025-20393/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-20393

  • https://www.cvedetails.com/cve/CVE-2025-20393/

  • https://attack.mitre.org/groups/G0096/

  • https://www.fbi.gov/wanted/cyber/apt-41-group

  • https://www.sysdig.com/blog/unc5174-chinese-threat-actor-vshell

  • https://malpedia.caad.fkie.fraunhofer.de/actor/unc5174


    • Published: Fri Jan 16 03:35:23 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us