Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)

Vulnerability
First reported
Last updated
Happening score
H score 63
1 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-20393 is a maximum-severity flaw in Cisco AsyncOS Software that affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances when Spam Quarantine is enabled and reachable from the internet. Cisco said the issue was actively exploited as a zero-day by UAT-9686, who used it to gain root-level command execution, establish persistence, and deploy tools including ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell. Cisco has released security updates, and CISA added the CVE to KEV. The company also advised customers to reduce exposure by limiting internet access, disabling unnecessary services, and hardening appliance access controls.

Cases

Cisco AsyncOS email appliance zero-day exploitation and remediation (3)

Related Happenings

CISA KEV directive for CVE-2026-20133

Public Sector Action
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...

Open Happening

Cloud Software Group NetScaler urgent remediation advisory

Advisory/Mitigation
First: 25.03.2026 17:52 Last: 25.03.2026 17:52 Sources 1

About this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...

Open Happening

CISA urgent mitigation order for Cisco FMC CVE-2026-20131

Advisory/Mitigation
First: 23.03.2026 12:30 Last: 23.03.2026 12:30 Sources 1

About this happening: **CISA** ordered **federal civilian agencies** to patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** within **three days** or discontinue use if mitigat...

Open Happening

Interlock Cisco Secure Firewall Management Center zero-day exploitation wave

Exploitation Wave
First: 18.03.2026 18:53 Last: 18.03.2026 18:53 Sources 1

About this happening: A **zero-day exploitation wave** tied to **Interlock** has been hitting **Cisco Secure Firewall Management Center (FMC)**, putting **enterprise firewalls** at risk before patching...

Open Happening

Cisco Catalyst SD-WAN active exploitation wave

Exploitation Wave
First: 05.03.2026 14:15 Last: 05.03.2026 14:15 Sources 1

About this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...

Open Happening

Timeline

  1. 16.01.2026 07:38 3 articles · 4mo ago

    Cisco discloses CVE-2025-20393 zero-day exploitation and releases fixes

    Initial Disclosure

    Cisco released security updates for CVE-2025-20393 in Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager after confirming UAT-9686 exploited the maximum-severity Spam Quarantine remote command execution flaw as a zero-day. The flaw stems from insufficient validation of HTTP requests and can let an attacker execute arbitrary commands with root privileges on an affected appliance. Cisco also said the campaign included ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell, and urged customers to secure appliances behind a firewall, monitor web log traffic, disable HTTP for the main administrator portal, disable unnecessary network services, enforce SAML or LDAP authentication, and change the default administrator password.

    Show sources
    Open in new tab