Cisco disclosed and patched a critical zero-day vulnerability (CVE-2025-20393) affecting Cisco AsyncOS software used in Cisco Secure Email Gateway and Secure Email and Web Manager products. The vulnerability is a remote command execution (RCE) flaw caused by insufficient validation of HTTP requests processed by the Spam Quarantine feature. When exploited, an attacker can execute arbitrary commands with root privileges on the underlying operating system of the affected appliance. Exploitation requires three conditions: the appliance must run a vulnerable AsyncOS version, have the Spam Quarantine feature enabled, and have that feature exposed and reachable from the internet. The China-linked advanced persistent threat (APT) group UAT-9686 has been observed exploiting this vulnerability since late November 2025. Their attack chain includes deploying tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, a log cleaning utility (AquaPurge), and a lightweight Python backdoor (AquaShell) capable of receiving encoded commands. Cisco released patches in AsyncOS versions 15.0.5-016, 15.5.4-012, 16.0.4-016 for Secure Email Gateway and corresponding fixes for Secure Email and Web Manager. The patches also remove persistence mechanisms installed by the attackers. Cisco recommends hardening measures including restricting network access to the appliances, placing them behind firewalls, monitoring web logs for anomalous traffic, disabling HTTP access to the admin portal, disabling unnecessary network services, enforcing strong authentication methods such as SAML or LDAP, and changing default administrator passwords. This vulnerability has a CVSS score of 10.0, indicating maximum severity, but the provided data states medium severity, likely reflecting partial mitigations or exposure conditions. The vulnerability’s exploitation enables full system compromise remotely without user interaction, posing a severe risk to organizations relying on these Cisco products for email security.

For European organizations, this vulnerability presents a significant risk due to the widespread use of Cisco Secure Email Gateway and Secure Email and Web Manager appliances in enterprises, government agencies, and critical infrastructure sectors. Successful exploitation can lead to complete system compromise, allowing attackers to execute arbitrary commands with root privileges, potentially leading to data breaches, espionage, disruption of email services, and lateral movement within networks. The involvement of a China-linked APT suggests targeted espionage or sabotage motives, increasing the risk for organizations involved in sensitive sectors such as defense, telecommunications, finance, and public administration. The exposure of the Spam Quarantine feature to the internet amplifies the risk, especially for organizations with misconfigured or poorly segmented networks. The deployment of tunneling tools and backdoors indicates attackers can maintain long-term persistence and exfiltrate data stealthily. This could undermine confidentiality, integrity, and availability of critical communications infrastructure, impacting business continuity and regulatory compliance under GDPR and other European data protection laws.

European organizations should immediately verify if they operate Cisco Secure Email Gateway or Secure Email and Web Manager appliances running vulnerable AsyncOS versions with the Spam Quarantine feature enabled and exposed to the internet. They must apply Cisco’s security patches promptly to all affected versions: AsyncOS 15.0.5-016, 15.5.4-012, 16.0.4-016 for Secure Email Gateway and corresponding fixes for Secure Email and Web Manager. Network segmentation should be enforced to ensure the Spam Quarantine feature is not directly accessible from unsecured networks or the internet. Firewalls should restrict inbound traffic to trusted sources only. Organizations should disable HTTP access to the administrator portal and any unnecessary network services on the appliances. Strong authentication mechanisms such as SAML or LDAP must be implemented for appliance access, and default or weak administrator passwords must be replaced with complex, unique credentials. Continuous monitoring of web logs and network traffic for unusual patterns or connections related to tunneling tools or backdoors is essential. Incident response plans should include scanning for indicators of compromise related to AquaTunnel, AquaShell, and AquaPurge tools. Regular audits and vulnerability assessments should be conducted to ensure no persistence mechanisms remain. Finally, organizations should educate IT staff on the risks and ensure timely patch management processes are in place.