Cisco AsyncOS security update for CVE-2025-20393

Security Patch Release

First reported

16.01.2026 07:38

Last updated

16.01.2026 07:38

Happening score

H score 60

1 unique sources, 1 articles

Summary

Hide ▲

Cisco released security updates for CVE-2025-20393 in Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, closing a maximum-severity remote-command-execution flaw. The fix matters because the vulnerability had already been used as a zero-day and could grant attackers root privileges on affected appliances. Cisco also removed persistence mechanisms linked to the attack campaign. Administrators need to move to the fixed AsyncOS releases and harden exposure around the affected email security systems.

Cases

Cisco AsyncOS email appliance zero-day exploitation and remediation (3)

Related Happenings

Cisco ThousandEyes and Nexus security patches

Security Patch Release

First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...

Open Happening

FIRESTARTER malware on Cisco ASA and FTD devices

Malware Activity

First: 23.04.2026 15:00 Last: 23.04.2026 15:00 Sources 1

About this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...

Latest development: 24.04.2026 23:34

CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.

Open Happening

Cisco hit by cyberattack

Incident

First: 31.03.2026 20:53 Last: 31.03.2026 20:53 Sources 1

About this happening: The **Cisco** incident is a **cyberattack** on its **internal development environment** that exposed **source code** and **credentials**. Attackers used stolen credentials linked...

Open Happening

Interlock Cisco Secure Firewall Management Center zero-day exploitation wave

Exploitation Wave

First: 18.03.2026 18:53 Last: 18.03.2026 18:53 Sources 1

About this happening: A **zero-day exploitation wave** tied to **Interlock** has been hitting **Cisco Secure Firewall Management Center (FMC)**, putting **enterprise firewalls** at risk before patching...

Open Happening

Cisco Catalyst SD-WAN active exploitation wave

Exploitation Wave

First: 05.03.2026 14:15 Last: 05.03.2026 14:15 Sources 1

About this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...

Open Happening

Timeline

16.01.2026 07:38 2 articles · 4mo ago

Cisco AsyncOS security update for CVE-2025-20393

Initial Disclosure
Cisco issued fixes for **CVE-2025-20393** on **Thursday** after confirming prior **zero-day** abuse of **AsyncOS** appliances. The update closes the main code-execution path and strips persistence artifacts associated with the campaign.
Show sources

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways — thehackernews.com — 16.01.2026 07:38

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways — thehackernews.com — 16.01.2026 07:38
Open in new tab