Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert including three new vulnerabilities in its catalog of exploited cyber threats (KEVs), highlighting that these flaws are currently being actively exploited by hackers.
Among these is CVE-2025-20393, a critical zero-day vulnerability affecting Cisco Secure Email Gateway (SEG) and Web Manager (SEWM) devices, with a CVSS score of 10/10.
This vulnerability, rated “maximum severity,” allows unauthenticated attackers to bypass all defenses and execute commands of their choosing with root privileges. The source of the issue lies in an incorrect input validation procedure in the Spam Quarantine feature, which is exposed to the Internet.
Attackers are therefore actively exploiting a flaw in Cisco’s Secure Email Gateway (SEG) and Web Manager (SEWM) appliances, which allows them to execute arbitrary commands with root privileges due to incorrect input validation in the Spam Quarantine feature when it is accessible online.
According to Cisco Talos, a Chinese nexus threat group, identified as UAT-9686, is already exploiting this flaw, as seen in the previous article . The group is deploying a suite of custom malware, including the AquaShell persistent backdoor and AquaPurge, a tool designed to clean up logs and hide its tracks.
CISA also reported a critical situation involving SonicWall SMA1000 devices. While the advisory highlights a specific vulnerability (often related to the management console), the real danger stems from how attackers are linking it to a previous flaw, CVE-2025-23006.
Attackers are combining these vulnerabilities to gain complete control of the system. The report notes that the attackers “chained this vulnerability with a critical severity SMA1000 pre-authentication deserialization flaw… to achieve unauthenticated remote code execution with root privileges.”
This “exploit chain” turns the device into an open door for intruders. Federal agencies have been given a tight deadline of December 24, 2025, to address this specific threat.
The third addition is a blast from the past with modern implications. CVE-2025-59374 (CVSS 9.3) affects the ASUS Live Update client, a utility that reached end of support (EOS) in 2021.
Despite being outdated, the software is exploited through a sophisticated “supply chain compromise.” Unauthorized modifications introduced into the update client allow attackers to force devices to “perform unwanted actions” if they meet specific targeting conditions. Because the software is no longer supported, it poses a “zombie” risk, as it is not updated and lurks on older systems.
It’s clear that cyber vulnerabilities are always lurking. CISA has reported three new vulnerabilities actively exploited by hackers . This vulnerability allows attackers to execute commands of their choosing with root privileges.
To avoid these problems, you need to pay attention to a few things. First, it’s essential to update your systems and software to the latest versions, such as the vulnerabilities discovered in SonicWall SMA1000 devices. Furthermore, it’s important to watch out for outdated software, such as the ASUS Live Update client, which is no longer supported but can still pose a risk.
In short, the window between exploit publication and active exploitation is increasingly narrowing, making it important to perform patch management before attackers can exploit security vulnerabilities within our organizations.
Only with great attention and awareness is it possible to avoid falling into the traps set by hackers.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
