Cisco has recently alerted about a critical zero-day vulnerability. This vulnerability has been found to affect its AsyncOS software, which powers its email security appliances. This vulnerability, which is being tracked as CVE-2025-20393, is rated as a critical-severity flaw because of the improper input validation. Threat actors may use this vulnerability to run harmful instructions with higher privileges on the underlying operating system. The flaw, its Common Vulnerability Scoring System (CVSS) score of 10.0 suggesting its critical nature, allows such attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has moved quickly to address their dire state. To that end, they recently added CVE-2025-20393 to their Known Exploited Vulnerabilities (KEV) catalog. Cisco’s security advisory further notes that all releases of AsyncOS Software are vulnerable. This lack of accountability raises real dangers for the people and institutions that rely on these systems.
Ongoing Threats and Exploitation
Unfortunately, recent research has uncovered a current exploitation of the vulnerability. These attacks are attributed to a China-nexus advanced persistent threat (APT) actor named UAT-9686. This group has targeted Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, utilizing a lightweight Python backdoor named AquaShell. This backdoor can accept encoded commands and run them on infected machines.
Cisco only learned about the intrusion campaign on December 10, 2025. After making this discovery, the company reported that the activity was coming from a chilling 1,273 unique IP addresses. This similarly coordinated effort would seem to suggest otherwise—a large-scale attack. In 1 single day, more than 10,000 unique IPs targeted GlobalProtect portals in the U.S., Pakistan, and Mexico, leveraging a tactic of trying common usernames and passwords to try automated logins.
“It listens passively for unauthenticated HTTP POST requests containing specially crafted data.” – Cisco
Further, we logged a huge increase in brute-force login attempts against Cisco SSL VPN endpoints on December 12, 2025. This increase is consistent with what we found previously. Cisco has indicated that only a limited subset of appliances with certain ports exposed to the internet are at heightened risk.
Mitigation Strategies
Given these circumstances, Cisco has highlighted the need for swift action in order to reduce exploitable risk from CVE-2025-20393. Federal Civilian Executive Branch (FCEB) agencies are specifically required to implement necessary mitigations by December 24, 2025, to safeguard their networks against potential exploitation.
Cisco has advised that in cases of confirmed compromise, rebuilding the affected appliances is currently the only viable option to eradicate the threat actor’s persistence mechanism from the system. The patchwork is dangerous, and organizations need to step up their cybersecurity efforts. That doesn’t absolve them from the responsibility to keep their systems current and well-defended.
“If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.” – Cisco
GreyNoise is here to remind you — don’t let your guard down. Their finding is that the activity was large-scale scripted log-in attempts rather than manual exploitation of vulnerabilities. This distinction is important because though exploitation is the biggest risk, we can’t forget about brute-force attacks and the need for defensive measures against them.