CVE-2025-20393 Exploitation: A Maximum-Severity Zero-Day Vulnerability in Cisco AsyncOS Software Abused in Attacks by the China-Backed APT UAT-9686
As 2025 draws to a close, yet another critical Cisco zero-day has emerged, joining earlier high-severity disclosures: two RCE flaws in Cisco ISE and SE-PIC (CVE-2025-20281 and CVE-2025-20282) and a September zero-day in Cisco IOS and IOS XE (CVE-2025-20352). The latest uncovered Cisco vulnerability, identified as CVE-2025-20393, affects AsyncOS Software and reaches a maximum-severity CVSS score of 10.0. The flaw is already under active exploitation by a China-linked APT group tracked as UAT-9686.
Exploitation of zero-day vulnerabilities is increasing, while the time to patch them is shrinking, making prompt updates more critical than ever. The 2025 Verizon DBIR report highlights a 34% year-over-year rise in breaches initiated via vulnerability exploitation, highlighting the need for proactive defenses. China-backed espionage campaigns are driving this trend, with operations increasingly emphasizing stealth and operational security over the past five years. China-aligned APT clusters remain among the fastest and most active state-sponsored actors, often weaponizing newly disclosed exploits almost immediately, further complicating the global cybersecurity landscape.
In early December, a new maximum-severity vulnerability in React Server Components, known as React2Shell, was observed being exploited in multiple China-linked campaigns, with activity quickly accelerating in both scale and pace and broadening its targeting scope. Another maximum-severity vulnerability (CVE-2025-20393), recently discovered in Cisco AsyncOS Software, has been causing a stir in the cyber threat arena, which requires ultra-vigilance from defenders.
Sign up for SOC Prime Platform, offering the world’s largest detection Intelligence dataset and covering a full pipeline from detection to simulation to take your SOC to the next level and proactively thwart APT attacks, exploitation campaigns, and cyber threats of any scale and sophistication. Press Explore Detections to reach a comprehensive context-enriched rule set addressing critical exploits, filtered by the corresponding “CVE” tag.
The above-mentioned SOC content is supported across 40+ SIEM, EDR, and Data Lake platforms to enable cross-platform content utilization and is mapped to the most recent MITRE ATT&CK® v18.1 framework. Security teams can further accelerate end-to-end detection engineering workflows with Uncoder AI, which enables smooth rule creation from live threat intelligence, instant detection logic refinement and validation, automatic Attack Flow visualization, IOC-to-hunt query conversion, and AI-backed translation of detection content across multiple language formats.
CVE-2025-20393 Analysis
Cisco has recently warned the global defender community of a critical zero-day in its AsyncOS Software tracked as CVE-2025-20393 that is being actively exploited by a China-linked APT group, UAT-9686, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The company reported becoming aware of the campaign on December 10, 2025, noting that only a limited subset of appliances with certain internet-exposed ports appear to be affected. The total number of impacted customers remains unclear.
According to the vendor, the flaw enables threat actors to execute arbitrary commands with root privileges on affected appliances. Investigators have also found evidence of a persistence mechanism planted to maintain control over compromised devices.
The vulnerability remains unpatched and stems from improper input validation, allowing attackers to run malicious commands with elevated privileges on the underlying operating system.
All versions of Cisco AsyncOS are impacted, though exploitation requires specific conditions across both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The Spam Quarantine feature must be enabled and accessible from the internet—an important detail, as this feature is disabled by default. Cisco advises administrators to verify its status via the web management interface by checking the relevant network interface settings.
The vendor traced exploitation activity back to at least late November 2025, when the China-linked actor UAT-9686 began abusing the flaw to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, along with a log-cleaning utility named AquaPurge. AquaTunnel has previously been associated with diverse Chinese groups, including APT41 and UNC5174. Adversaries also deployed a lightweight Python backdoor, AquaShell, which passively listens for unauthenticated HTTP POST requests, decodes specially crafted payloads, and executes commands via the system shell.
Until a patch becomes available, Cisco recommends hardening affected appliances by restricting internet exposure, placing them behind firewalls that allow only trusted hosts, separating mail and management interfaces, disabling HTTP access to the main admin portal, and closely monitoring web logs for anomalous activity. Additional guidance includes disabling unnecessary services, enforcing strong authentication mechanisms such as SAML or LDAP, and replacing default administrator credentials with stronger passwords. The company emphasized that in confirmed compromise scenarios, rebuilding the appliance is currently the only effective way to remove attacker persistence.
In response to the increasing threat, CISA has added CVE-2025-20393 to its KEV catalog, mandating that Federal Civilian Executive Branch agencies implement mitigations by December 24, 2025.
In addition, GreyNoise reported detecting a coordinated, automated credential-stuffing campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. The activity involves large-scale scripted login attempts rather than vulnerability exploitation, with consistent infrastructure and timing suggesting a single campaign pivoting across multiple VPN platforms.
The fast-moving exploitation of CVE-2025-20393 and its active use by a China-backed hacking group suggest a rising risk of follow-on attacks against organizations worldwide. To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness.
