Cisco Warns of Unpatched Zero-Day Exploited in Secure Email Gateway Appliances

​Cisco has alerted customers about a critical zero-day vulnerability in Cisco AsyncOS that is being actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.

The unpatched zero-day, identified as CVE-2025-20393, specifically impacts Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.

According to Cisco Talos, the threat intelligence research team at Cisco, attacks exploiting this vulnerability are believed to be orchestrated by a Chinese threat group known as UAT-9686. The attackers are leveraging the security flaw to execute arbitrary commands with root access and deploy various malware implants such as AquaShell persistent backdoors, AquaTunnel, Chisel reverse SSH tunnel, and AquaPurge log-clearing tool.

Previous malicious activities involving AquaTunnel and related tools have been linked to other Chinese state-backed hacking groups like UNC5174 and APT41.

Cisco Talos stated in an advisory that they assess with moderate confidence that the threat actor UAT-9686 is a Chinese-nexus advanced persistent threat (APT) actor. The tactics, techniques, and infrastructure used by UAT-9686 align with those of other Chinese threat groups.

The attacks exploiting this zero-day were first detected on December 10, with evidence suggesting that the campaign has been active since late November 2025.

Protecting Vulnerable Appliances

While Cisco is working on security updates to address the zero-day vulnerability, administrators are advised to secure and restrict access to vulnerable appliances. Recommendations include limiting internet exposure, restricting connections to trusted hosts, and placing appliances behind firewalls for traffic filtering.

Additional measures include segregating mail-handling and management functions, monitoring web logs for unusual activities, and retaining logs for potential investigations.

It is also recommended to disable unnecessary services, keep systems updated with the latest Cisco AsyncOS software, implement strong authentication methods like SAML or LDAP, change default passwords, and use SSL or TLS certificates for securing management traffic.

Cisco urges customers to reach out to the Cisco Technical Assistance Center (TAC) if they suspect their appliances have been compromised. Following the guidance provided in the security advisory is strongly advised to mitigate risks effectively.

If appliances are found to be exposed to the internet, Cisco recommends a detailed process to restore them to a secure state. In cases where restoration is not feasible, contacting TAC to assess compromise and potentially rebuilding the appliances is the recommended course of action.

Addressing broken IAM practices is crucial for overall business resilience.

Learn about effective IAM strategies to meet modern demands and secure your organization.

Get the guide