Cisco has released free security updates. These security updates primarily address a significant security loophole discovered in its AsyncOS Software, which is run on Cisco Secure Email Gateways and Cisco Secure Email and Web Manager. The bug has been tagged CVE-2025-20393. It has been given a critical CVSS score of 10.0, underscoring its highly dangerous potential risk. This vulnerability allows for remote command execution, which brings critical threats to enterprises that use impacted systems.
The company revealed that this critical flaw had been actively exploited by a China-linked advanced persistent threat (APT) group, designated UAT-9686. According to the latest threat intelligence, attackers began exploiting CVE-2015-20393 in late November 2025. This happened almost a month before any of the security updates were made publicly available. The attackers used a low overhead Python backdoor, dubbed AquaShell, as their main stage tool during the operation.
Details of the Vulnerability
CVE-2025-20393 was due to a lack of proper input validation of HTTP requests in the Spam Quarantine functionality in the AsyncOS Software. This failure to validate the commands properly permitted attackers to run arbitrary commands on the victim server remotely. To achieve successful exploitation, the vulnerable appliance must execute an affected version of Cisco AsyncOS Software. Moreover, Spam Quarantine feature needs to be enabled, and the appliance needs to be open to the internet.
The APT group used AquaShell to receive and execute base64-encoded commands over a secure shell on compromised systems. Thwarted, the attackers deployed tunneling tools including ReverseSSH, also dubbed AquaTunnel, and Chisel. Funding those tools allowed them to get more access to and control over the damaged ecosystems. A log cleaning utility, AquaPurge, was used to obfuscate their activity even further and establish persistence on the systems.
Implications for Organizations
With a devastating new exploit demonstrated, the importance of prompt security releases should go without saying. All organizations that use Cisco products have an obligation to robustly manage patches. With the exploitation of CVE-2025-20393 by a sophisticated threat actor like UAT-9686, companies are urged to prioritize the application of the recent security updates released by Cisco.
Organizations should assess their configurations to ensure that their appliances are not only updated but secure from potential external access. This means verifying firewall rules and preventing all access to the Spam Quarantine feature from the outside world.
Recommendations for Mitigation
Cisco is recommending that all users avoid delay in addressing this threat. Please install these critical security updates to help defend against the major vulnerability tied to CVE-2025-20393. Organizations should additionally perform in-depth security assessments on their AsyncOS Software configurations to understand if they are exposed.
Furthermore, network administrators are advised to implement additional monitoring measures to detect any anomalies or unauthorized access attempts that may indicate exploitation attempts. Consistent audits and awareness can significantly improve an organization’s preparedness from these advanced cyber threats.