Cisco has identified a critical zero-day vulnerability (CVE-2025-20393) in its AsyncOS software that powers Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. This vulnerability stems from improper input validation in the Spam Quarantine feature, which, if enabled and exposed to the internet, allows unauthenticated attackers to execute arbitrary commands with root privileges on the underlying operating system. The flaw has a maximum CVSS score of 10.0, indicating critical severity. Exploitation requires that the Spam Quarantine feature be enabled and reachable from the internet, conditions not met by default configurations. The threat actor behind the attacks is a China-nexus advanced persistent threat group known as UAT-9686, active since at least November 2025. This group has leveraged the vulnerability to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, a log cleaning utility (AquaPurge), and a lightweight Python backdoor (AquaShell) that listens for unauthenticated HTTP POST requests containing encoded commands. These tools enable the attackers to maintain persistent, stealthy control over compromised appliances. Cisco’s investigation revealed evidence of persistence mechanisms implanted by the attackers. The vulnerability affects all AsyncOS versions, but exploitation is limited to appliances with the Spam Quarantine feature enabled and exposed. Cisco advises users to verify the Spam Quarantine configuration, restrict internet access to affected interfaces, disable unnecessary services, and monitor web logs for suspicious activity. In confirmed compromises, rebuilding the appliance is currently the only way to fully remove the attacker’s foothold. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to mitigate by December 24, 2025. This disclosure coincides with increased automated credential-based attacks against Cisco VPN infrastructure, highlighting a broader targeting of Cisco security products by threat actors.

For European organizations, the impact of this vulnerability is significant due to the critical role Cisco Secure Email Gateway and Secure Email and Web Manager appliances play in email security and web management. Successful exploitation grants attackers root-level control over affected appliances, enabling full system compromise, data exfiltration, interception or manipulation of email traffic, and persistent backdoor access. This can lead to severe confidentiality breaches, disruption of email services, and potential lateral movement within corporate networks. Given the involvement of a China-linked APT group, there is an elevated risk of espionage and targeted attacks against strategic sectors such as government, defense, finance, and critical infrastructure in Europe. The requirement that the Spam Quarantine feature be internet-exposed limits the attack surface but does not eliminate risk, especially for organizations with misconfigured or legacy deployments. The persistence mechanisms and advanced tunneling tools used by the attackers complicate detection and remediation, increasing the likelihood of prolonged undetected compromise. The impact is exacerbated by the lack of an available patch at the time of disclosure, forcing reliance on configuration changes and network defenses. European entities that rely heavily on Cisco email security appliances and have internet-facing management or quarantine interfaces are particularly vulnerable to operational disruption and data loss.

1. Immediately verify whether the Spam Quarantine feature is enabled on Cisco Secure Email Gateway and Secure Email and Web Manager appliances by checking the web management interface under Network > IP Interfaces. 2. If enabled, restrict access to the Spam Quarantine interface by removing any direct internet exposure; place the appliances behind firewalls that allow traffic only from trusted internal hosts or VPNs. 3. Disable the Spam Quarantine feature if it is not essential to business operations. 4. Disable all unnecessary network services on the appliances, including HTTP access to the main administrator portal; use secure authentication methods such as SAML or LDAP and enforce strong, unique administrator passwords. 5. Monitor web logs and network traffic for unusual HTTP POST requests or other suspicious activity indicative of exploitation attempts or backdoor communication. 6. Segment mail and management functions onto separate network interfaces to reduce attack surface. 7. In case of confirmed compromise, rebuild the affected appliance from trusted sources to remove persistence mechanisms, as cleaning may be ineffective. 8. Stay alert for Cisco’s forthcoming patches and apply them promptly once available. 9. Conduct thorough network scans to identify any exposed AsyncOS appliances with internet-facing Spam Quarantine features and remediate accordingly. 10. Educate IT and security teams about this threat to ensure rapid detection and response.