Cisco Systems has recently confirmed the ongoing exploitation of a critical zero-day vulnerability found in its Secure Email Gateway and Secure Email and Web Manager appliances. This vulnerability, cataloged as CVE-2025-20393, permits unauthenticated attackers to execute arbitrary root-level commands by sending crafted HTTP requests to the Spam Quarantine feature.
"The flaw is a result of insufficient validation of HTTP requests within the Spam Quarantine feature of Cisco AsyncOS Software," said Cisco in an official statement. The vulnerability, classified under CWE-20 for Improper Input Validation, has been assigned the highest possible CVSSv3.1 base score of 10.0, reflecting its potential severity due to factors like network accessibility and low complexity.
"The flaw is a result of insufficient validation of HTTP requests within the Spam Quarantine feature of Cisco AsyncOS Software,"
Critical to note is that exploitation generally targets appliances where Spam Quarantine features are enabled and exposed to the internet, which usually listen on port 6025. This configuration is discouraged and not enabled by default in deployment advisories.
Career Journey
Career Journey
Career Journey
Cisco first became aware of the vulnerability's active exploitation on December 10, 2025, although evidence suggests that attacks may have been occurring since as early as November 2025. According to Cisco Talos, the advanced persistent threat group UAT-9686, also known as UNC-9686, is believed to be behind these exploitations. "Our analysis shows overlaps in tooling that link this group to other known entities like APT41 and UNC5174," noted cybersecurity analysts from Cisco Talos.
"Our analysis shows overlaps in tooling that link this group to other known entities like APT41 and UNC5174,"
The attackers are reportedly using a Python-based backdoor, AquaShell, to maintain persistent access to compromised systems. They further utilize tools such as AquaTunnel and Chisel for internal network pivoting and AquaPurge for log clearing, as part of their efforts to evade detection. Their primary targets appear to be in the telecommunications and critical infrastructure sectors, with a strategic focus on espionage rather than traditional ransomware attacks.
Career Journey
Career Journey
In response to this threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-20393 in their Known Exploited Vulnerabilities catalog on December 17, 2025. They mandated that all federal agencies implement mitigation strategies by December 24, 2025. Although no public proof-of-concept exploits were available as of early January 2026, reports indicate a surge in automated scanning activities targeting this vulnerability.
Cisco has outlined specific indicators of compromise associated with the exploit, including mechanisms for implant persistence that facilitate unauthorized backdoor access. “It's crucial for organizations to proactively verify their status against these compromises with the assistance of our Technical Assistance Center (TAC), especially with remote access capabilities enabled,” emphasized Cisco.
In light of this alarming situation, Cisco has released patches designed to rectify the vulnerability and remove any previously known persistent access mechanisms. However, they also cautioned that no workarounds are currently available, urging administrators to promptly apply the updates to their systems to safeguard against potential attacks.