Attacks pummeling Cisco AsyncOS 0-day since late November

Suspected Chinese-government-linked threat actors have been battering a maximum-severity Cisco AsyncOS zero-day vulnerability in some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances for nearly a month, and there's no timeline for a fix. Cisco disclosed the bug, tracked as CVE-2025-20393, on Wednesday and said it affects both physical and virtual SEG and SEWM appliances in certain non-standard configurations where the Spam Quarantine feature is enabled and exposed to the internet. "On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet … This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," according to the security advisory. The vendor also published recommendations for customers to assess exposure and mitigate risks. According to Cisco's threat intel arm Talos, the attacks have been ongoing "since at least late November 2025." A Cisco spokesperson declined to answer The Register's questions, including how many appliances have been infected and when it will release a fix. Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape Cisco warns of 'new attack variant' battering firewalls under exploit for 6 months Watch out, another max-severity, make-me-root Cisco bug on the loose China's Ink Dragon hides out in European government networks "We strongly urge customers to follow guidance in the advisory to assess any exposure and mitigate risk," the spokesperson said. "Cisco is actively investigating the issue and developing a permanent remediation." Also on Wednesday, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. In a subsequent report, Cisco Talos on Wednesday pinned the attacks "with moderate confidence" on a Chinese-nexus advanced persistent threat (APT) group it tracks as UAT-9686. After breaking into internet-facing appliances, the attackers deploy a persistent Python-based backdoor called AquaShell, along with AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility). ®