Vulnerability
Campaign
Security Patch Release
Cisco AsyncOS email appliance zero-day exploitation and remediation
Updated 16.01.2026 07:38
Case score 66
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 66
- Main story score
- 63
- Related evidence lift
- +3 / 20
- Contributing updates
- 1
- Context updates
- 1
Top contributors
- Vulnerability Base event: maximum-severity Cisco AsyncOS RCE with confirmed zero-day abuse. main
- Security Patch Release Cisco's fixed-release and hardening guidance for the same CVE and appliance family. context
- Campaign Direct exploitation and post-exploitation tooling tied to the same Cisco AsyncOS flaw. contributes
Case score 66
Members 3
Latest activity 16.01.2026 07:38
Active exploitation
Patch available
CVSS: 10.0 Critical
Members 3
First seen 17.12.2025 20:45
Last seen 16.01.2026 07:38
Updated 16.01.2026 07:38
Overview
**CVE-2025-20393** in **Cisco AsyncOS** is being actively used against **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances when **Spam Quarantine** is internet-reachable. Cisco said **UAT-9686** used the flaw as a zero-day to gain root command execution and establish persistence with tunneling and log-clearing tooling.
Cisco has released fixes and hardening guidance, and confirmed compromises may require rebuilding the appliance to clear persistence. **CVE-2025-20393** is also in **CISA's KEV** catalog, while the full reach of the activity remains unquantified.
Attackers are exploiting **CVE-2025-20393** in **Cisco AsyncOS** on **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances when **Spam Quarantine** is enabled and reachable from the internet. Cisco said the flaw comes from insufficient validation of HTTP requests and can let a remote attacker execute commands with root privileges on an affected appliance. Cisco identified **UAT-9686** as the actor behind the zero-day activity and said the abuse was visible from at least late November 2025. Cisco also said it first noticed the intrusion activity on December 10 and that the campaign used **ReverseSSH (AquaTunnel)**, **Chisel**, **AquaPurge**, and **AquaShell**.
Cisco released security updates for affected AsyncOS releases and said rebuilding a confirmed compromised appliance is the only viable way to remove the persistence it found. The vendor said customers should place the appliances behind a firewall, disable HTTP for the main administrator portal, turn off unnecessary network services, and use stronger authentication such as **SAML** or **LDAP**. CISA added **CVE-2025-20393** to its **KEV** catalog, which reinforced the urgency for exposed systems. The available evidence does not quantify how many appliances were affected or how widely the exploitation reached.
Signals
9 derivedExploitation
Exploitation
Active exploitation
CVSS
10.0 Critical
CVEs/products
CVE
Remediation
Urgency
High
Remediation
Patch available
Status
Campaign status
Active
Threat context
Tooling
Actor
UAT-9686
Malware
Malware context
2 families · 5 toolsTools
AquaPurge
AquaShell
AquaTunnel
Chisel
ReverseSSH
Member happenings
3 related
Vulnerability
Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)
Exploitation
Active Exploitation
CVSS
10.0 Critical
Patch
Patch Available
Vulnerability
Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)
Exploitation
Active Exploitation
CVSS
10.0 Critical
Patch
Patch Available
Campaign
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
Active
Patch
No Patch
Campaign
UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
Active
Patch
No Patch
Security Patch Release
Cisco AsyncOS security update for CVE-2025-20393
Exploitation
Active Exploitation
CVSS
10.0 Critical
Urgency
High
Patch
Patch Available
Security Patch Release
Cisco AsyncOS security update for CVE-2025-20393
Exploitation
Active Exploitation
CVSS
10.0 Critical
Urgency
High
Patch
Patch Available