CVE-2025-20393

Name of the Vulnerable Software and Affected Versions Cisco AsyncOS versions prior to the fix for CVE-2025-20393 Cisco Secure Email Gateway (SEG) versions prior to the fix for CVE-2025-20393 Cisco Secure Email and Web Manager (SEWM) versions prior to the fix for CVE-2025-20393

Description Cisco AsyncOS software, used in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances, contains a critical improper input validation vulnerability (CVE-2025-20393) with a CVSS score of 10.0. This flaw allows an unauthenticated, remote attacker to execute arbitrary commands with root privileges on affected systems. The vulnerability is actively exploited in the wild by a China-linked threat actor (UAT-9686) who has been observed deploying tools like AquaShell (a Python backdoor), AquaTunnel, Chisel, and AquaPurge for persistence, tunneling, and log manipulation. Successful exploitation grants attackers full control of the appliance, potentially enabling long-term surveillance, credential access, and use as a pivot point for further compromise. The vulnerability is present when the Spam Quarantine feature is enabled and accessible from the internet.

Recommendations Apply the security updates released by Cisco to address CVE-2025-20393. If the Spam Quarantine feature is enabled, restrict internet access to the appliance. Review and restrict administrative access to the appliance. Rotate credentials and keys. Monitor logs for anomalous activity. If compromise is suspected, rebuild the affected appliance. Disable the Spam Quarantine feature if it is not essential.