Threat Advisories:
CVE-2025-37164: Critical RCE in HPE OneView Under Active Exploitation Astaroth Reimagined: Weaponizing WhatsApp for Scalable Banking Fraud GoBruteforcer Exposed: How Weak Credentials Power a Silent Linux Botnet CVE-2026-0625: A Decade-Long Risk in D-Link DSL Routers Enabling Full System Compromise PHALT#BLYX: Fake BSOD Campaign Targets Hospitality CVE-2025-13915: Authentication Bypass Puts IBM API Connect at Risk VVS Stealer Exposed: Inside a Stealthy Discord Credential Theft Operation Silent Clicks, Lasting Access: APT36’s Fileless Espionage Playbook GlassWorm’s Quiet Infiltration of Mac Systems Silver Fox Slips ValleyRAT Into India Through Fake Tax Notices LangGrinch: Critical LangChain Serialization Flaws Enable Secret Exfiltration Inside Evasive Panda’s Long-Running AitM Campaign CVE-2025-14847: Critical MongoDB Memory Leak Exposes Sensitive Data MacSync A Notarized macOS Malware That Slips Past Gatekeeper December 2025 Linux Patch Roundup Automation Gone Rogue: CVE-2025-68613 Puts n8n Instances at Risk Prince of Persia APT Campaigns Across Iran, Europe, and Beyond GhostPoster: A Multi-Stage Malware Campaign Hiding Inside Firefox Extensions GachiLoader Deployed via the YouTube Ghost Network CVE-2025-20393: Critical Cisco AsyncOS Zero-Day Actively Exploited
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2025-20393: Critical Cisco AsyncOS Zero-Day Actively Exploited

Red | Vulnerability Report
Download PDF
Critical Cisco AsyncOS Zero-Day Enables Root Remote Code Execution

CVE-2025-20393 is a critical zero-day vulnerability scoring CVSS 10.0 that affects Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances running Cisco AsyncOS. The Cisco AsyncOS flaw arises from improper input validation (CWE-20) in the Spam Quarantine web interface, allowing unauthenticated remote attackers to execute arbitrary commands with root privileges on vulnerable Cisco appliances. Exploitation of the Cisco zero-day is possible only when the Spam Quarantine feature is enabled and its interface is exposed to the internet, an unsafe but commonly misconfigured deployment scenario for Cisco email security products.

The Cisco AsyncOS vulnerability has been actively exploited since late November 2025 by UAT-9686, a China-linked advanced persistent threat group with tooling overlaps to APT41 and UNC5174. Cisco Talos identified the exploitation campaign on December 10, 2025, during an investigation of a TAC support case. Attackers leverage the Cisco zero-day vulnerability for initial access and then deploy a tailored malware toolkit designed for stealth and long-term appliance control.

Post-exploitation activity following successful Cisco AsyncOS exploitation includes the deployment of AquaShell, a Python-based web backdoor that provides persistent remote access to compromised Cisco appliances. The threat actor also deploys AquaTunnel, a Go-based reverse SSH tunneling tool that enables command-and-control communications and lateral movement capabilities. AquaPurge, a log-clearing utility, is used to destroy forensic evidence and cover tracks on compromised Cisco systems. Additionally, attackers deploy Chisel, an HTTP tunneling tool that provides alternative command-and-control channels. These malware components provide persistence, command-and-control, lateral movement capabilities, and anti-forensic functionality on compromised Cisco email security appliances.

Cisco has stated that these persistence mechanisms deployed by UAT-9686 cannot be reliably removed through standard remediation procedures, and that full appliance rebuilds from clean images are required to eradicate confirmed compromises of Cisco AsyncOS systems.

As of December 19, 2025, no official patch is available for CVE-2025-20393, and Cisco’s security advisory remains at Version 1.0 (Interim status). The Cisco AsyncOS vulnerability affects all versions of Cisco AsyncOS running on both physical and virtual appliances. CISA added the critical Cisco zero-day to its Known Exploited Vulnerabilities catalog on December 17, 2025, with a remediation deadline of December 24, 2025 for federal agencies. Organizations must rely on network-level mitigations for the Cisco vulnerability, including removing internet exposure to the Spam Quarantine interface, enforcing strict firewall controls, separating mail and management interfaces, and exporting logs to external systems to support detection and forensic analysis.

Recommendations

Immediate Actions to Mitigate Cisco AsyncOS Zero-Day Risk

Restrict Spam Quarantine Interface Access: Immediately remove or block internet access to the Spam Quarantine web interface on all Cisco Secure Email Gateway and SEWM appliances. Configure firewall rules to allow connections only from trusted internal IP addresses. This is the most critical mitigation for the Cisco AsyncOS vulnerability as the zero-day requires the interface to be internet-exposed for remote exploitation.

Implement Network Segmentation: Deploy Cisco Secure Email Gateway and SEWM appliances behind dedicated filtering firewalls. Separate mail processing and management functions onto different network interfaces for Cisco email security products. This limits attacker lateral movement and reduces the attack surface if compromise of Cisco AsyncOS systems occurs through the zero-day vulnerability.

Hunt for Indicators of Compromise: Monitor network traffic for connections to known C2 infrastructure associated with UAT-9686 exploitation of the Cisco zero-day. Check file integrity of /data/web/euq_webui/htdocs/index.py for unauthorized modifications indicating AquaShell web backdoor deployment. Investigate any unusual outbound SSH connections from Cisco email appliances that could indicate AquaTunnel reverse SSH tunneling activity.

Enable External Log Forwarding: Configure log export to external SIEM or syslog servers immediately on all Cisco AsyncOS appliances. UAT-9686 deploys AquaPurge to clear local logs and destroy forensic evidence of Cisco zero-day exploitation. External log storage ensures attack artifacts from CVE-2025-20393 exploitation are preserved for incident response and investigation.

Rebuild Confirmed Compromised Appliances: If exploitation of the Cisco AsyncOS vulnerability is detected, perform a complete appliance rebuild from clean images. Standard remediation procedures will not remove UAT-9686 persistence mechanisms including AquaShell web backdoor and AquaTunnel SSH tunneling tool deployed following Cisco zero-day exploitation.

Indicators of Compromise (IoCs)

Cisco AsyncOS Zero-Day Exploitation Indicators

SHA256 Hashes Associated with UAT-9686 Malware:

  • 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
  • 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
  • 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc

IPv4 Addresses Associated with UAT-9686 C2 Infrastructure:

  • 172.233.67.176
  • 172.237.29.147
  • 38.54.56.95

File Path Indicator:

  • /data/web/euq_webui/htdocs/index.py (AquaShell web backdoor location)

MITRE ATT&CK TTPs

Cisco AsyncOS Vulnerability Exploitation Tactics and Techniques

Resource Development:

  • T1588: Obtain Capabilities – Acquiring Cisco zero-day vulnerability information
  • T1588.005: Exploits – Developing exploitation tools for CVE-2025-20393
  • T1588.006: Vulnerabilities – Obtaining knowledge of Cisco AsyncOS vulnerability

Initial Access:

  • T1190: Exploit Public-Facing Application – Exploiting internet-exposed Cisco Spam Quarantine interface

Execution:

  • T1059: Command and Scripting Interpreter – Executing arbitrary commands via Cisco zero-day
  • T1059.006: Python – Running AquaShell Python-based web backdoor
  • T1203: Exploitation for Client Execution – Leveraging Cisco AsyncOS vulnerability for code execution

Persistence:

  • T1505: Server Software Component – Deploying AquaShell web backdoor on Cisco appliances
  • T1505.003: Web Shell – Installing persistent web shell on compromised Cisco systems

Defense Evasion:

  • T1070: Indicator Removal – Using AquaPurge to clear evidence
  • T1070.002: Clear Linux or Mac System Logs – Destroying Cisco appliance logs
  • T1027: Obfuscated Files or Information – Obfuscating malware components
  • T1140: Deobfuscate/Decode Files or Information – Decoding malicious payloads

Privilege Escalation:

  • T1068: Exploitation for Privilege Escalation – Achieving root privileges via Cisco zero-day vulnerability

Command and Control:

  • T1090: Proxy – Using Chisel for HTTP tunneling
  • T1572: Protocol Tunneling – Deploying AquaTunnel for reverse SSH tunneling
  • T1095: Non-Application Layer Protocol – Using non-standard protocols for C2

References

Cisco AsyncOS Vulnerability Information Sources

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox