Active Attacks Target Cisco Secure Email Appliances via CVE-2025-20393
Publication date: 2025-12-18
Cisco has confirmed active exploitation of a previously unknown zero-day vulnerability in Cisco AsyncOS, the operating system used by its email security appliances. The flaw, tracked as CVE-2025-20393, is being exploited in the wild by a China-linked advanced persistent threat (APT) group identified by Cisco as UAT-9686.
Cisco became aware of the campaign in early December after detecting suspicious activity affecting a limited number of appliances that were reachable from the internet. While the total number of impacted organizations is not public, Cisco has confirmed that the attacks allow remote command execution with root privileges and that persistence mechanisms were deployed on compromised systems.
BaseFortify has published an annotated CVE report for CVE-2025-20393, which provides technical context, practical mitigation guidance, and an AI-powered Q & A section where readers can ask follow-up questions specific to their environment:
https://basefortify.eu/cve_reports/2025/12/cve-2025-20393.html
What Is Happening?
The vulnerability is caused by improper input validation, allowing attackers to execute arbitrary commands on the underlying operating system with full administrative privileges.
Cisco’s investigation shows that attackers are not simply testing access. They are actively establishing long-term control. Compromised appliances were found running tooling designed to survive reboots and evade detection, indicating a deliberate and sustained intrusion effort.
Once an email security gateway is compromised at this level, it effectively becomes a trusted internal foothold. From there, attackers can monitor or manipulate email traffic, harvest credentials, or pivot further into internal systems.
How to Check If You’re Vulnerable
Not every AsyncOS deployment is immediately exploitable. Successful attacks require that the Spam Quarantine feature is both enabled and exposed to the internet.
Administrators should verify their configuration immediately:
- Connect to the web management interface
- Navigate to:
- Secure Email Gateway:
Network → IP Interfaces → [Select Interface] - Secure Email and Web Manager:
Management Appliance → Network → IP Interfaces → [Select Interface]
- Secure Email Gateway:
- Check whether Spam Quarantine is enabled on an internet-facing interface
If Spam Quarantine is enabled and externally reachable, the appliance should be treated as at-risk until mitigations are applied.
What Are Attackers Doing After Exploitation?
Cisco observed the deployment of a familiar post-exploitation toolkit, consistent with previous state-linked intrusion campaigns:
- ReverseSSH (AquaTunnel) and Chisel for covert tunneling and remote access
- AquaShell, a lightweight Python backdoor that executes encoded commands received via unauthenticated HTTP POST requests
- Log-cleaning utilities designed to obscure attacker activity and delay detection
The use of AquaTunnel is particularly notable, as it has been previously associated with Chinese APT groups, reinforcing the attribution and seriousness of the campaign.
What You Should Do Now
With no patch available at the time of writing, organizations should focus on reducing exposure and limiting impact. Cisco recommends removing unnecessary internet access, restricting access to trusted hosts, separating mail and management interfaces, and closely monitoring logs for unexpected activity.
Importantly, Cisco has stated that in cases of confirmed compromise, rebuilding the appliance is currently the only reliable way to fully remove attacker persistence.
This incident highlights an uncomfortable reality: security appliances themselves are prime targets and must be monitored and hardened like any other critical system.
How BaseFortify Helps in Practice
BaseFortify is designed to help teams move from awareness to action when dealing with real-world vulnerabilities like CVE-2025-20393.
For this vulnerability, BaseFortify helps organizations understand:
- What the vulnerability enables an attacker to do
- How exploitation typically unfolds in operational environments
- Which mitigation steps are most effective right now
- What indicators may suggest compromise or misuse
The annotated CVE report for CVE-2025-20393 includes an embedded AI-powered Q & A, allowing security and IT teams to ask practical questions about mitigation, detection, and operational impact:
https://basefortify.eu/cve_reports/2025/12/cve-2025-20393.html
Organizations can register for BaseFortify at:
https://basefortify.eu/register
BaseFortify is available with both a free subscription and a paid subscription. The free tier provides access to essential vulnerability insights and selected guidance, while paid subscriptions unlock additional capabilities for deeper analysis and ongoing risk management.
Resources
- BaseFortify annotated CVE report and AI Q & A
https://basefortify.eu/cve_reports/2025/12/cve-2025-20393.html - Cisco advisory and investigation details
https://sec.cloudapps.cisco.com/ - CISA Known Exploited Vulnerabilities catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog - Original coverage by The Hacker News
https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html