Cisco has confirmed that a critical zero-day security flaw, allowing remote code execution, is currently being actively exploited in its Secure Email Gateway and Secure Email and Web Manager devices. This vulnerability, classified as CVE-2025-20393, allows unauthenticated attackers to send forged HTTP requests to the spam quarantine feature, allowing arbitrary commands to be executed with root privileges.
Insufficient HTTP request validation in the Cisco AsyncOS software spam quarantine feature leads to the vulnerability, allowing remote command execution with administrator rights on affected devices. The vulnerability, classified as CWE-20 (improper input validation), has a maximum base CVSSv3.1 score of 10.0 due to its network accessibility, low attack complexity, and high impact on data confidentiality, integrity, and availability.
Cisco has released patches to address the vulnerability and remove known persistence mechanisms; there are no workarounds. Administrators should immediately update and confirm the Spam Quarantine status via the web interface at Network > IP Interfaces.
Cisco Talos attributes the campaign to UAT-9686 (also UNC-9686) , an advanced persistent threat actor with ties to China, with some security based on tool overlaps with groups such as APT41 and UNC5174.
The exploit targets devices with spam quarantine enabled and exposed to the internet, typically on port 6025, a configuration not enabled by default and not recommended in deployment guides. Cisco became aware of the attacks on December 10, 2025, with evidence of exploitation dating back to November 2025.
The attackers are deploying a Python-based backdoor called AquaShell for persistent remote access, along with reverse SSH tunneling tools such as AquaTunnel and Chisel for internal pivoting , and AquaPurge for log deletion to evade detection. Targets include the telecommunications and critical infrastructure sectors, with post-exploitation focused on espionage rather than ransomware.
On December 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-20393 in its list of known exploited vulnerabilities, requiring federal agencies to mitigate it by December 24, 2025. As of January 2026, although no public proof-of-concept exploits were available, increasing automated scans were detected.
Cisco Secure Email Cloud services remain unaffected. Organizations are encouraged to monitor logs externally and contact the TAC for a compromise assessment.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
