Full Report
No timeline for a patch Suspected Chinese-government-linked threat actors have been battering a maximum-severity Cisco AsyncOS zero-day vulnerability in some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances for nearly a month, and there's no timeline for a fix.…
Analysis Summary
# Vulnerability: Cisco AsyncOS Zero-Day Allowing Root Command Execution
## CVE Details
- CVE ID: CVE-2025-20393
- CVSS Score: Maximum Severity (Specific score not provided, designated as maximum severity)
- CWE: N/A
## Affected Systems
- Products: Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances (Both physical and virtual).
- Versions: Specific vulnerable versions not detailed, but only those running in non-standard configurations where the Spam Quarantine feature is enabled and exposed to the internet.
- Configurations: Affected when the Spam Quarantine feature is enabled *and* exposed to the internet.
## Vulnerability Description
This is a zero-day vulnerability that allows threat actors to execute arbitrary commands with **root privileges** on the underlying operating system of an affected appliance. The exploitation targets appliances configured in a non-standard manner, specifically those where the Spam Quarantine feature is internet-facing.
## Exploitation
- Status: **Exploited in the wild** (Attacks ongoing since late November 2025).
- Complexity: Implied to be low enough for persistent APT group exploitation.
- Attack Vector: Network (Attacks target internet-facing appliances).
## Impact
- Confidentiality: High (Root-level access gained)
- Integrity: High (Root-level access gained)
- Availability: High (Implied, due to persistence mechanisms and context of the attack)
**Observed Post-Exploitation Activity:** Attackers deploy the AquaShell Python-based backdoor, AquaTunnel (reverse SSH), chisel (tunneling tool), and AquaPurge (log-clearing utility).
## Remediation
### Patches
- **Patches:** None currently available; Cisco is actively developing a permanent fix, with **no timeline provided** as of the report date.
### Workarounds
- Customers are strongly urged to follow guidance in the vendor advisory to assess exposure and mitigate risk. (Specific mitigation details are referenced to the advisory, but not fully elaborated in the text.)
## Detection
- **Indicators of Compromise (IOCs):** Presence of malware artifacts such as AquaShell, AquaTunnel, chisel, and AquaPurge on the appliance filesystem.
- **Detection methods and tools:** Affected devices should be investigated for unauthorized network access targeting the Spam Quarantine feature exposure, and internal forensic analysis should look for post-exploitation activity described above.
## References
- Vendor Advisory: sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
- CISA KEV Catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- Talos Intelligence Report: blog.talosintelligence.com/uat-9686/