Cisco fixes AsyncOS vulnerability exploited in zero-day attacks (CVE-2025-20393)

Cisco has finally shipped security updates for its Email Security Gateway and Secure Email and Web Manager devices, which fix CVE-2025-20393, a vulnerability in the devices’ AsyncOS that has been exploited as a zero-day by suspected Chinese attackers since at least late November 2025.

The company revealed the flaw’s existence and in-the-wild exploitation on December 17, 2025, and urged customers to check whether their appliances had been breached and to rebuild them in case of confirmed compromise.

CVE-2025-20393 exploitation

“[CVE-2025-20393] is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device,” Cisco explained.

“This attack allows the [unauthenticated] threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.”

Cisco Talos researchers found that attackers installed on “a limited subset of appliances” a custom-made Python backdoor (AquaShell), a log-purging tool (AquaPurge), a reverse SSH backdoor (AquaTunnel), and an open‑source tunneling tool used for proxying traffic (Chisel).

The attackers were able to compromise only appliances that had the Spam Quarantine feature enabled and reachable from the internet.

Cisco still hasn’t disclosed how many systems were affected, though it stressed that the Spam Quarantine feature is not enabled by default.

Fixes finally available

In December, the US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agencies to address CVE-2025-20393 using Cisco-provided mitigations.

Now, those agencies – and other Cisco customers – must apply the newly released security updates.

Cisco Email Security Gateway appliances should be upgraded to AsyncOS v15.0.5-016 or later, 15.5.4-012 or later, or 16.0.4-016 or later.

Secure Email and Web Manager devices should be upgraded to AsyncOS v15.0.2-007 or later, 15.5.4-007 or later, or 16.0.4-010 or later.

The devices will automatically reboot after the upgrade.

“The fix addresses the vulnerability used by threat actors and clears the persistence mechanisms that were identified in this attack campaign and installed on the appliances,” Cisco added, and advised organizations to additionally harden their devices.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!