Cisco Patches AsyncOS Zero-Day Exploited by Chinese APT Since November

Cisco released patches on January 16 for CVE-2025-20393, a maximum-severity zero-day vulnerability in AsyncOS that Chinese threat actors had been exploiting since November 2025 to deploy backdoors on Secure Email Gateway appliances.

Vulnerability Details

The vulnerability, carrying a CVSS score of 10.0, is a remote command execution flaw arising from insufficient validation of HTTP requests by the Spam Quarantine feature. It affects Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances when the Spam Quarantine feature is enabled and exposed to the internet.

Threat Actor Activity

Cisco Talos identified a Chinese threat group tracked as UAT-9686 behind the attacks. The group weaponized the vulnerability to deploy AquaShell persistent backdoors, AquaTunnel and Chisel reverse SSH tunnel implants, and a log-clearing tool named AquaPurge. These tools have been linked to other Chinese state-backed groups including UNC5174 and APT41.

Timeline

Exploitation began in late November 2025. Cisco became aware of the campaign on December 10, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on December 17, ordering federal agencies to apply mitigations by December 24.

Remediation

Cisco Email Security Gateway appliances should be upgraded to AsyncOS v15.0.5-016 or later, 15.5.4-012 or later, or 16.0.4-016 or later. The fix addresses the vulnerability and clears persistence mechanisms installed by the attackers.