CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Timeline

  1. 16.01.2026 07:38 2 articles · 1d ago

    Cisco Releases Security Updates for Zero-Day Vulnerability

    Cisco has released security updates for the zero-day vulnerability (CVE-2025-20393) in AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The vulnerability has been addressed in specific versions of Cisco AsyncOS Software, including 15.0.5-016, 15.5.4-012, 16.0.4-016, 15.0.2-007, 15.5.4-007, and 16.0.4-010. Cisco is urging customers to follow hardening guidelines to prevent access from unsecured networks, secure appliances behind a firewall, monitor web log traffic, disable HTTP for the main administrator portal, disable unnecessary network services, enforce strong end-user authentication, and change the default administrator password.

    Show sources
    Open in new tab
  2. 18.12.2025 06:10 1 articles · 1mo ago

    GreyNoise Detects Coordinated Campaign Targeting Enterprise VPN Infrastructure

    GreyNoise detected a coordinated, automated credential-based campaign targeting enterprise VPN authentication infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. More than 10,000 unique IPs engaged in automated login attempts to GlobalProtect portals, and a similar spike in opportunistic brute-force login attempts was recorded against Cisco SSL VPN endpoints.

    Show sources
    Open in new tab
  3. 17.12.2025 20:45 4 articles · 1mo ago

    Cisco Warns of Active Exploitation of Unpatched AsyncOS Zero-Day

    Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

Critical FortiCloud SSO Authentication Bypass Vulnerabilities Patched

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd.

Open in new tab

FortiWeb Zero-Day Exploitation (CVE-2025-58034)

Fortinet has released security updates to address a new zero-day vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited in the wild. The flaw, an OS command injection vulnerability with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Fortinet advises upgrading FortiWeb devices to the latest versions to mitigate the risk. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. This follows another FortiWeb zero-day (CVE-2025-64446) that was silently patched in October and added to CISA's actively exploited vulnerabilities catalog. CVE-2025-64446 has a CVSS score of 9.1 and was patched in version 8.0.2. Fortinet has patched CVE-2025-58034 in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12.

Open in new tab

Critical Cisco UCCX RMI Vulnerability Exploitable for Root Command Execution

A critical vulnerability in Cisco Unified Contact Center Express (UCCX) allows unauthenticated attackers to execute commands with root privileges. The flaw, CVE-2025-20354, resides in the Java Remote Method Invocation (RMI) process. Cisco has released patches to address this issue. The UCCX platform is a software solution for managing customer interactions in call centers. The vulnerability enables attackers to upload crafted files and execute arbitrary commands on the underlying operating system. Cisco also patched a critical flaw in the CCX Editor application, which allows unauthenticated attackers to bypass authentication and execute arbitrary scripts with admin permissions. Updates are available for affected versions.

Open in new tab

Cisco IOS XE devices in Australia targeted by BadCandy webshell

The Australian government has warned of ongoing cyberattacks targeting unpatched Cisco IOS XE devices, exploiting the CVE-2023-20198 vulnerability to install the BADCANDY webshell. This allows attackers to execute commands with root privileges. The flaw was patched in October 2023, but many devices remain unpatched, leading to persistent infections. Over 400 devices were potentially compromised since July 2025, with over 150 still infected as of late October 2025. The Australian Signals Directorate (ASD) is actively notifying victims and providing mitigation guidance. The attacks are attributed to state-sponsored cyber-actors, including the Chinese state actor Salt Typhoon. The ASD has noted that the BADCANDY webshell has been actively exploited since October 2023, with ongoing attacks in 2024 and 2025. The ASD has detected re-exploitation on devices for which notifications were previously issued. The ASD recommends reviewing running configurations for unexpected accounts and unknown tunnel interfaces, and advises reviewing TACACS+ AAA command accounting logging for configuration changes.

Open in new tab