Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign Security Patch Release

Cisco AsyncOS email appliance zero-day exploitation and remediation

Updated 16.01.2026 07:38
Case score 66
Case score 66 Members 3 Latest activity 16.01.2026 07:38
Active exploitation Patch available CVSS: 10.0 Critical
Members 3 First seen 17.12.2025 20:45 Last seen 16.01.2026 07:38 Updated 16.01.2026 07:38

Overview

**CVE-2025-20393** in **Cisco AsyncOS** is being actively used against **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances when **Spam Quarantine** is internet-reachable. Cisco said **UAT-9686** used the flaw as a zero-day to gain root command execution and establish persistence with tunneling and log-clearing tooling. Cisco has released fixes and hardening guidance, and confirmed compromises may require rebuilding the appliance to clear persistence. **CVE-2025-20393** is also in **CISA's KEV** catalog, while the full reach of the activity remains unquantified.

Signals

9 derived
Exploitation
Exploitation Active exploitation CVSS 10.0 Critical
CVEs/products
CVE
Remediation
Urgency High Remediation Patch available
Status
Campaign status Active
Threat context
Tooling Actor UAT-9686 Malware

Malware context

2 families · 5 tools
Tools
AquaPurge AquaShell AquaTunnel Chisel ReverseSSH

Member happenings

3 related
Vulnerability Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)
Updated 16.01.2026 07:38 Lead Contribution 63
Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

**CVE-2025-20393** is a **maximum-severity** flaw in **Cisco AsyncOS Software** that affects **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances when **Spam Quarantine** is enabled and reachable from the internet. Cisco said the issue was **actively exploited as a zero-day** by **UAT-9686**, who used it to gain **root-level command execution**, establish **persistence**, and deploy tools including **ReverseSSH (aka AquaTunnel)**, **Chisel**, **AquaPurge**, and **AquaShell**. Cisco has released security updates, and **CISA** added the CVE to **KEV**. The company also advised customers to reduce exposure by limiting internet access, disabling unnecessary services, and hardening appliance access controls.

Campaign UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Updated 17.12.2025 20:45 Scoring Support Contribution 2
Campaign Active Patch No Patch

The **UAT-9686** campaign is actively exploiting **CVE-2025-20393** on **Cisco AsyncOS** email appliances, giving attackers **root command execution** and a foothold for persistence. The activity targets **Secure Email Gateway (SEG)** and **Secure Email and Web Manager (SEWM)** appliances exposed through **Spam Quarantine** configurations on the Internet. Cisco first spotted the attacks on **December 10** and says the operation has been active since at least **late November 2025**.

Security Patch Release Cisco AsyncOS security update for CVE-2025-20393
Updated 16.01.2026 07:38 Context
Exploitation Active Exploitation CVSS 10.0 Critical Urgency High Patch Patch Available

Cisco released **security updates** for **CVE-2025-20393** in **Cisco AsyncOS Software** for **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager**, closing a **maximum-severity** remote-command-execution flaw. The fix matters because the vulnerability had already been used as a **zero-day** and could grant attackers **root privileges** on affected appliances. Cisco also removed persistence mechanisms linked to the attack campaign. Administrators need to move to the fixed AsyncOS releases and harden exposure around the affected email security systems.