Key Takeaways:
- A maximum-severity zero-day flaw has been discovered in Cisco AsyncOS software, which has been actively exploited by a China-nexus advanced persistent threat (APT) actor.
- The vulnerability, tracked as CVE-2025-20393, carries a CVSS score of 10.0 and allows threat actors to execute arbitrary commands with root privileges on the underlying operating system.
- The vulnerability affects all releases of Cisco AsyncOS Software, but successful exploitation requires specific conditions to be met, including the Spam Quarantine feature being enabled and exposed to the internet.
- Users are advised to take immediate action to mitigate the vulnerability, including restoring appliances to a secure configuration, limiting access from the internet, and disabling HTTP for the main administrator portal.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary mitigations by December 24, 2025.
Introduction to the Vulnerability
The Cisco AsyncOS software has been found to have a maximum-severity zero-day flaw that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. This vulnerability has been tracked as CVE-2025-20393 and carries a CVSS score of 10.0, indicating a high level of severity. The vulnerability allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. This means that if an attacker is able to exploit this vulnerability, they could potentially gain full control over the affected appliance and use it to launch further attacks or steal sensitive information.
Conditions for Exploitation
For successful exploitation to occur, certain conditions must be met. These conditions include the appliance being configured with the Spam Quarantine feature, and the Spam Quarantine feature being exposed to and reachable from the internet. It’s worth noting that the Spam Quarantine feature is not enabled by default, so users who have not explicitly enabled this feature are not at risk. However, users who have enabled this feature should take immediate action to mitigate the vulnerability. To check if the Spam Quarantine feature is enabled, users can follow the steps outlined by Cisco, which involve connecting to the web management interface and navigating to the relevant settings.
Exploitation Activity
The exploitation activity observed by Cisco dates back to at least late November 2025, with UAT-9686 weaponizing the vulnerability to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174. Additionally, a lightweight Python backdoor dubbed AquaShell has been deployed in the attacks, which is capable of receiving encoded commands and executing them. This backdoor listens passively for unauthenticated HTTP POST requests containing specially crafted data and attempts to parse the contents using a custom decoding routine and execute them in the system shell.
Mitigation and Recommendations
In the absence of a patch, users are advised to take immediate action to mitigate the vulnerability. This includes restoring their appliances to a secure configuration, limiting access from the internet, securing the devices behind a firewall to allow traffic only from trusted hosts, separating mail and management functionality onto separate network interfaces, monitoring web log traffic for any unexpected traffic, and disabling HTTP for the main administrator portal. Users are also recommended to turn off any network services that are not required, use strong end-user authentication methods like SAML or LDAP, and change the default administrator password to a more secure variant. In case of confirmed compromise, rebuilding the appliances is currently the only viable option to eradicate the threat actor’s persistence mechanism from the appliance.
Government Response
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by December 24, 2025, to secure their networks. This move highlights the severity of the vulnerability and the need for immediate action to protect against potential attacks. The CISA’s response also underscores the importance of collaboration between government agencies and private sector organizations in responding to cybersecurity threats.
Related Activity
The disclosure of the Cisco vulnerability comes as GreyNoise has detected a "coordinated, automated credential-based campaign" aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. More than 10,000 unique IPs are estimated to have engaged in automated login attempts to GlobalProtect portals located in the U.S., Pakistan, and Mexico using common username and password combinations on December 11, 2025. A similar spike in opportunistic brute-force login attempts has been recorded against Cisco SSL VPN endpoints as of December 12, 2025. The activity originated from 1,273 IP addresses, indicating a large-scale scripted login attempt campaign. This activity reflects the ongoing threat posed by malicious actors seeking to exploit vulnerabilities and gain unauthorized access to sensitive systems and data.
