Attacks pummeling Cisco AsyncOS 0-day since late November

Steven

Attacks pummeling Cisco AsyncOS 0-day since late November

Summary

Cisco has disclosed a maximum-severity zero-day, CVE-2025-20393, affecting certain Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances when the Spam Quarantine feature is enabled and exposed to the internet. Cisco first became aware of active exploitation on 10 December and Talos says attacks have been ongoing since at least late November 2025. There is no patch timeline yet; Cisco has published mitigation guidance and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue.

Talos attributes the campaign with moderate confidence to a Chinese-nexus APT tracked as UAT-9686. After exploitation, attackers deploy a Python-based persistent backdoor called AquaShell and tools such as AquaTunnel (reverse SSH), chisel (tunnelling) and AquaPurge (log erasure) to maintain access and hide activity.

Key Points

  • Vulnerability: CVE-2025-20393 — allows arbitrary command execution as root on affected AsyncOS appliances.
  • Affected products: certain Cisco SEG and SEWM physical and virtual appliances in non-standard configurations where Spam Quarantine is internet-exposed.
  • Active exploitation: Attacks observed since late November 2025; Cisco publicly disclosed the issue on 10 December and updated advisory afterwards.
  • Attribution: Cisco Talos links the campaign (moderate confidence) to a Chinese-nexus APT it calls UAT-9686.
  • Post-exploitation toolkit: AquaShell backdoor, AquaTunnel (reverse SSH), chisel tunnelling tool and AquaPurge log-cleaning utility.
  • Mitigation & response: Cisco provides guidance to assess exposure and mitigate risk; CISA added the bug to its KEV catalogue.
  • Patch status: No public timeline for a permanent fix; Cisco is investigating and developing remediation.

Context and relevance

This is a high-impact supply-chain style risk for organisations using Cisco’s email and web gateway appliances. Internet-exposed management/features left enabled are a recurring cause of severe compromises — state-linked APTs continue to weaponise such gaps to gain persistent footholds. The KEV listing raises urgency for incident responders and asset owners to check exposure immediately.

For security teams the combination of a root-executing zero-day, a persistent Python backdoor and tunnel/log-cleaning tools means successful intrusions can be stealthy and long-lived. This fits broader trends of advanced persistent threat actors turning network and edge devices into beachheads for lateral movement and long-term espionage.

Author style

Punchy: if you run Cisco SEG/SEWM appliances, this isn’t just another patch Tuesday note — it’s a live, exploited zero-day with a persistent toolkit. Read the mitigation guidance and hunt your appliances now.

Why should I read this?

Because if you’ve got Cisco email/web gateway kit online, this could already be a problem. The bug gives attackers root, the intruders are dropping persistent backdoors, and there’s no patch date yet — so doing quick checks and applying Cisco’s mitigations could stop you getting owned.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/