CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco recommends securing and restricting access to vulnerable appliances and advises customers to contact TAC for further assistance.

Timeline

  1. 17.12.2025 20:45 1 articles · 2h ago

    Cisco Warns of Active Exploitation of Unpatched AsyncOS Zero-Day

    Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco recommends securing and restricting access to vulnerable appliances and advises customers to contact TAC for further assistance.

    Show sources
    Open in new tab

Information Snippets

  • The zero-day vulnerability (CVE-2025-20393) affects Cisco SEG and SEWM appliances with non-standard configurations and the Spam Quarantine feature exposed to the internet.

    First reported: 17.12.2025 20:45
    1 source, 1 article
    Show sources

  • The Chinese threat group UAT-9686 is exploiting the flaw to execute arbitrary commands with root privileges and deploy AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnel malware, and AquaPurge log-clearing tool.

    First reported: 17.12.2025 20:45
    1 source, 1 article
    Show sources

  • The campaign has been active since at least late November 2025, with attacks first spotted on December 10, 2025.

    First reported: 17.12.2025 20:45
    1 source, 1 article
    Show sources

  • Cisco Talos assesses with moderate confidence that UAT-9686 is a Chinese-nexus APT actor with tool use and infrastructure consistent with other Chinese threat groups like UNC5174 and APT41.

    First reported: 17.12.2025 20:45
    1 source, 1 article
    Show sources