Unpatched Cisco AsyncOS Vulnerability Actively Exploited

Threat summary

On December 18, 2025, Cisco reported on active exploitation of an unpatched critical vulnerability in Cisco AsyncOS. AsyncOS is the operating system that powers Cisco’s email security appliances, widely deployed to filter spam, malware, and phishing attempts. These appliances are typically positioned at the perimeter of enterprise networks, making them high‑value targets.

The flaw, tracked as CVE‑2025‑20393, affects Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances when the Spam Quarantine feature is enabled and exposed to the internet. Cisco emphasized that Spam Quarantine is not enabled by default, but when exposed it allows unauthenticated execution of arbitrary commands with root privileges on the underlying operating system. The worst‑case scenario includes full system compromise, unauthorized access to sensitive email communications, and disruption of email services. The CVSS v3.1 score is 10.0, reflecting maximum severity.

Exploitation activity began in late November 2025. Cisco disclosed the issue on December 10, 2025, and published a security advisory on December 17, 2025. The threat actor identified as UAT‑9686, a China‑linked advanced persistent threat group, has been associated with the campaign. Cisco Talos reported overlaps in tactics and infrastructure with groups such as APT41. Attackers deployed a persistent Python‑based backdoor, referred to as “AquaShell,” to maintain access.

Because this vulnerability enables unauthenticated remote code execution and is easy to exploit, the U.S. Cybersecurity and Infrastructure Security Agency has already added CVE‑2025‑20393 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to take immediate action.

Insights & mitigations

Cisco has not yet released a patch, and interim mitigations are limited. Cisco recommendations include restricting exposure of the Spam Quarantine service to the internet and monitoring for indicators of compromise. Monitoring for anomalous activity, including unauthorized system‑level commands and persistence mechanisms such as AquaShell, is recommended. In confirmed compromise cases, appliances should be rebuilt. Follow Cisco advisories for updates on patch availability.

Field Effect MDR users would be alerted via ARO if internet‑facing services such as Spam Quarantine are identified, with recommended actions provided. Field Effect MDR continuously monitors endpoints, networks, and cloud services, enabling proactive identification of anomalous connections, persistence mechanisms like AquaShell, and unauthorized system‑level activity.

The Field Effect security intelligence team integrates business context with curated intelligence feeds to deliver vulnerability analysis tailored to each client environment. Indicators of compromise associated with this campaign are applied early to enhance behavioral detection and strengthen response capabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up