Cisco finally fixes max-severity bug under active attack for weeks

Steven

Cisco finally fixes max-severity bug under active attack for weeks

Summary

Cisco has released patches for CVE-2025-20393, a maximum-severity remote code execution vulnerability in AsyncOS that affects certain Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw was disclosed on 17 December 2025 after Cisco observed attackers targeting appliances from around 10 December, with Talos later attributing activity to UAT-9686 and noting intrusions since at least late November 2025. The vulnerability allowed attackers to execute arbitrary commands as root and installers implemented persistence mechanisms on compromised devices. Cisco’s updates remove those persistence mechanisms and customers are urged to upgrade to fixed releases and contact Cisco TAC if they need help.

Key Points

  • Vulnerability: CVE-2025-20393 in AsyncOS — maximum severity, remote code execution with root privileges.
  • Targets: Certain Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
  • Active exploitation: Attacks observed since at least early December (Talos reports activity from late November 2025) by a China-linked group tracked as UAT-9686.
  • Impact: Attackers could run arbitrary commands as root and had installed persistence mechanisms on compromised appliances.
  • Mitigation: Cisco has released software updates that remove persistence and fix the flaw; customers should upgrade immediately and contact TAC for support.
  • Transparency: Cisco has not disclosed how many appliances were compromised.

Context and relevance

This incident underscores the growing risk posed by attackers — including state-linked groups — targeting security appliances themselves. Compromised email and web gateways can provide long-term, high-privilege access into an organisation, making rapid patching and forensic checks essential. For network and security teams, this is a reminder to prioritise appliance patch cycles, search for indicators of persistence, and validate backups and access controls.

Why should I read this?

Short version: if you run Cisco SEGs or SEWMs, stop whatever non-urgent thing you’re doing and read this. Attackers had root on affected kit and left persistence behind — that can wreck your weekend (and your security posture). This summary tells you what happened, who’s blamed, and what Cisco has released so you can act fast: patch, hunt for compromises, and contact TAC if needed. We’ve saved you time by pulling the essentials together.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/