← Back to articles

Chinese-Linked Threat Actors Exploit Cisco AsyncOS Zero-Day for Nearly a Month Without Fix

December 30, 2025

Suspected Chinese-government-affiliated hackers have been exploiting a critical Cisco AsyncOS zero-day vulnerability, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, for almost a month. There is currently no timeline for an official fix.

Details of the Vulnerability

Cisco disclosed the flaw, identified as CVE-2025-20393, on Wednesday. The vulnerability impacts both physical and virtual deployments of SEG and SEWM appliances in specific non-standard configurations, particularly when the Spam Quarantine feature is enabled and exposed to the internet.

"On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet … This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," the security advisory states.

Cisco has issued recommendations to help customers assess their exposure and mitigate potential risks. Meanwhile, Cisco's threat intelligence division, Talos, reports that the attacks have been ongoing since at least late November 2025.

Ongoing Exploits and Impact

Cisco refrained from revealing specific numbers regarding affected appliances or the expected timeline for the release of a fix. The company urges customers to follow the advisory's guidance carefully.

"We strongly urge customers to follow guidance in the advisory to assess any exposure and mitigate risk," a Cisco spokesperson said. "Cisco is actively investigating the issue and developing a permanent remediation."

The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of the vulnerability.

Attribution and Attack Techniques

Cisco Talos attributes the attacks, with moderate confidence, to a Chinese-nexus advanced persistent threat (APT) group known as UAT-9686. Once inside internet-facing appliances, attackers deploy a persistent Python-based backdoor called AquaShell, along with several malicious tools such as AquaTunnel (a reverse SSH tunnel), Chisel (another tunneling utility), and AquaPurge (a log-clearing utility).

This ongoing campaign demonstrates a sophisticated effort by threat actors to maintain persistent access and evade detection, emphasizing the importance of timely patching and security measures.

Note: This article is for informational purposes and reflects ongoing investigations and advisories from Cisco and security agencies.