Cisco has lastly patched a maximum-severity Cisco AsyncOS zero-day exploited in assaults in opposition to Safe Electronic mail Gateway (SEG) and Safe Electronic mail and Internet Supervisor (SEWM) home equipment since November 2025.
As Cisco defined in December, when it disclosed the vulnerability (CVE-2025-20393), it impacts solely Cisco SEG and Cisco SEWM home equipment with non-standard configurations when the Spam Quarantine function is enabled and uncovered on the Web.
“Cisco Safe Electronic mail Gateway, Safe Electronic mail, AsyncOS Software program, and Internet Supervisor home equipment incorporates an improper enter validation vulnerability that permits risk actors to execute arbitrary instructions with root privileges on the underlying working system of an affected equipment,” Cisco mentioned.
Detailed directions for upgrading susceptible home equipment to a set software program model can be found in this safety advisory.
Cisco Talos, the corporate’s risk intelligence analysis group, believes {that a} Chinese language hacking group tracked as UAT-9686 is probably going behind assaults abusing the flaw to execute arbitrary instructions with root privileges.
Whereas investigating the assaults, Cisco Talos noticed the risk actors deploying AquaShell persistent backdoors, AquaTunnel and Chisel reverse-SSH tunnel malware implants, and the AquaPurge log-clearing device to wipe traces of their malicious exercise.
AquaTunnel and different malicious instruments deployed on this marketing campaign have additionally been linked up to now to different Chinese language state-backed risk teams, reminiscent of APT41 and UNC5174.
“We assess with reasonable confidence that the adversary, who we’re monitoring as UAT-9686, is a Chinese language-nexus superior persistent risk (APT) actor whose device use and infrastructure are in keeping with different Chinese language risk teams,” Cisco Talos mentioned.
“As a part of this exercise, UAT-9686 deploys a customized persistence mechanism we monitor as AquaShell accompanied by extra tooling meant for reverse tunneling and purging logs.”
CISA has additionally added CVE-2025-20393 to its catalog of identified exploited vulnerabilities on December 17, ordering federal businesses to safe their techniques utilizing Cisco’s steering inside every week, by December 24, as mandated by Binding Operational Directive (BOD) 22-01.
“Please adhere to Cisco’s pointers to evaluate publicity and mitigate dangers. Examine for indicators of potential compromise on all web accessible Cisco merchandise affected by this vulnerability. Apply any closing mitigations offered by the seller as quickly as they turn into out there,” CISA mentioned.
“Some of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise.”
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and examine their priorities as they head into 2026.
Find out how prime leaders are turning funding into measurable impression.
