Cisco AsyncOS email appliance zero-day exploitation and remediation

Attackers are exploiting **CVE-2025-20393** in **Cisco AsyncOS** on **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances when **Spam Quarantine** is enabled and reachable from the internet. Cisco said the flaw comes from insufficient validation of HTTP requests and can let a remote attacker execute commands with root privileges on an affected appliance. Cisco identified **UAT-9686** as the actor behind the zero-day activity and said the abuse was visible from at least late November 2025. Cisco also said it first noticed the intrusion activity on December 10 and that the campaign used **ReverseSSH (AquaTunnel)**, **Chisel**, **AquaPurge**, and **AquaShell**. Cisco released security updates for affected AsyncOS releases and said rebuilding a confirmed compromised appliance is the only viable way to remove the persistence it found. The vendor said customers should place the appliances behind a firewall, disable HTTP for the main administrator portal, turn off unnecessary network services, and use stronger authentication such as **SAML** or **LDAP**. CISA added **CVE-2025-20393** to its **KEV** catalog, which reinforced the urgency for exposed systems. The available evidence does not quantify how many appliances were affected or how widely the exploitation reached.