Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS

Cisco AsyncOS Zero-Day Under Active Exploitation

Cisco has issued a warning regarding an actively exploited zero-day vulnerability (CVE-2025-20393) in its Cisco AsyncOS software, impacting Secure Email Gateway and Secure Email and Web Manager appliances. The vulnerability, with a critical CVSS score of 10.0, allows attackers to execute arbitrary code with root privileges.

The current security landscape demands robust input validation, yet vulnerabilities like this demonstrate a consistent failure to prevent malicious code execution, potentially leading to complete system compromise and data breaches for affected organizations. The scale of potential compromise is significant, as the vulnerability affects all AsyncOS releases and has been exploited since late November 2025.

Key Insights

• CVE-2025-20393 (December 2025): A critical zero-day vulnerability in Cisco AsyncOS allowing for root access.
• APT Attribution: The attacks are attributed to the China-nexus APT actor UAT-9686, known for deploying tools like AquaTunnel and AquaShell.
• CISA Directive: The U.S. CISA added CVE-2025-20393 to its KEV catalog, mandating mitigation for FCEB agencies by December 24, 2025.

Practical Applications

• Use Case: Email security appliances are critical for preventing phishing and malware, but a compromised appliance becomes a pivot point for attackers.
• Pitfall: Exposing the Spam Quarantine feature to the internet, even unintentionally, creates a direct attack vector for this vulnerability.

References:

• https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html