New Actively Exploited CVSS 10 Flaw in Cisco AsyncOS Spam Quarantine Remote Access

A new maximum-severity zero-day vulnerability in Cisco AsyncOS was published in emergency fashion on Wednesday, December 17th. Cisco has indicated that the flaw, tracked as CVE-2025-20393, has been actively exploited in the wild by Chinese-nexus APT actors since late November 2025, and that it has been aware of the activity for at least a week prior to disclosure. Exploitation is limited to AsyncOS configurations with Spam Quarantine enabled and exposed to remote access. No patch is yet available from the vendor.

The OPENVAS ENTERPRISE FEED now includes remote version detection checks for CVE-2025-20393. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their IT systems infrastructure for emerging threats, including CVE-2025-20393.

CVE-2025-20393 (CVSS 10) is a critical vulnerability in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances if they are running Cisco AsyncOS and the Spam Quarantine feature [1][2] is both enabled and internet-accessible. Cisco’s official advisory and Talos blog post describe known exploit campaigns, but only contain sparse technical details about the vulnerability itself. CVE-2025-20393 has been classified as an improper input validation [CWE-20] flaw and reportedly allows attackers unauthenticated root-level remote code execution (RCE).

On December 17th, Cisco announced it had been aware of exploitation since December 10th, and that the attacks likely started in late November. Notably, when the EU’s Cyber Resilience Act (CRA) reporting obligations come into force in September 2026, known vulnerabilities and exploits must be reported to ENISA within 24 hours. Talos indicates the attacks are part of a cyberespionage campaign conducted by Chinese-nexus APT UAT-9686. However, no references to UAT-9686 exist on the internet prior to the exploitation of CVE-2025-20393.

CISA immediately added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) list. Germany’s BSI and Canada’s Centre for Cyber Security have issued emergency alerts [3][4]. No ransomware activity has been reported and PoC exploit code is not yet publicly available for CVE-2025-20393.

The Spam Quarantine feature acts as a mechanism for retaining spam messages rather than automatically deleting them. This allows administrators and end users to review suspected spam for false positives. Although the Spam Quarantine feature is not enabled by default on Cisco devices, the setup guides for SEG and SEWM include clear instructions for enabling it and configuring remote access [1][2]. Remote access to the Spam Quarantine feature allows administrators and end users to review and manage quarantined messages via a web interface, which is typically enabled on port 82 for HTTP and port 83 for HTTPS access.

Cisco Products Affected by CVE-2025-20393

According to the vendor advisory, all versions of Cisco AsyncOS are affected by CVE-2025-20393:

• Cisco Secure Email Gateway (SEG): Both physical appliances and virtual appliances are affected. The SEG was previously named the Cisco Email Security Appliance (ESA) [1].
• Cisco Secure Email and Web Manager (SEWM): Both physical appliances and virtual appliances are affected. The SEWM device was previously named the Content Security Management Appliance (SMA) [2].

CVE-2025-20393 is only exploitable when enabling the IP interface for remote browser access to the Spam Quarantine feature.

Mitigating Attacks Against CVE-2025-20393

No patch is currently available for CVE-2025-20393. Users who have enabled Spam Quarantine must either disable the service or implement workaround mitigation until a patch is released. These compensating measures may include:

• Ensuring the Spam Quarantine web interface is not exposed to the public internet.
• Restricting access with strict firewall and ACL rules to only authorised IP addresses.
• If compromise is suspected, Cisco indicates that a full rebuild of the appliance is the only effective way to remove the attacker’s persistent foothold. Rebuilding the affected appliance from a known good image is required, since malware may be persistent against configuration changes. If complete restoration of the appliance is not possible, Cisco recommends contacting TAC.

After breaching a device, attackers have deployed persistent backdoors [TA0003], established covert remote access [TA0011], and employed detection evasion techniques [TA0005]. Cisco’s reports claim CVE-2025-20393 is being used to deploy the AquaShell persistence malware, AquaTunnel and Chisel reverse tunnelling tools, and the AquaPurge log-clearing utility. However, these Aqua-branded malware families have not been publicly documented by security researchers prior to this campaign. Cisco has released Indicators of Compromise (IoC) related to the observed attacks.

Summary

On Wednesday, December 17th, Cisco made an emergency disclosure of CVE-2025-20393, a maximum-severity, actively exploited zero-day affecting Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances having Spam Quarantine both enabled and exposed. The flaw enables unauthenticated root-level RCE. Cisco Talos has attributed the observed exploitation to Chinese-nexus espionage activity.

With no patch available, immediate compensating mitigation is critical. Greenbone’s OPENVAS ENTERPRISE FEED has provided detection for CVE-2025-20393 within 24 hours of its public disclosure. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their IT infrastructure for emerging threats, including CVE-2025-20393. Once affected devices have been identified, mitigation primarily depends on either disabling the Spam Quarantine feature entirely or restricting access to its web interface until a patch becomes available.