Cisco AsyncOS RCE Zero-Day: Analysis of CVE-2025-20393 (CVSS 10)

Estimated reading time: 10 minutes

Key Takeaways

  • CVE-2025-20393 is a critical Remote Code Execution (RCE) zero-day vulnerability (CVSS 10) affecting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
  • It is under active exploitation by a Chinese Advanced Persistent Threat (APT) group, UNC-9686 (UAT-9686), leading to the deployment of custom tools like AquaShell (webshell), AquaTunnel/Chisel (reverse SSH), and AquaPurge (log clearing).
  • The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate mitigation for federal agencies.
  • This incident underscores a broader trend of rapid weaponization and exploitation of critical vulnerabilities, highlighting the urgent need for proactive cyber threat intelligence and advanced breach detection capabilities.
  • Organizations must implement immediate technical mitigations (e.g., disabling the Spam Quarantine feature, deploying EDR) and strategic safeguards (e.g., robust CTI, supply-chain risk monitoring, incident response planning) to protect against sophisticated zero-day threats.

Table of Contents

The cybersecurity domain continues to experience significant challenges from unpatched vulnerabilities, with a recent example being the exploitation of CVE-2025-20393. This zero-day Remote Code Execution (RCE) vulnerability impacts Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, carrying a critical CVSS score of 10. The observed exploitation of this flaw underscores the persistent threat posed by sophisticated cyber adversaries and the immediate need for defensive measures.

Understanding CVE-2025-20393: A Critical Zero-Day Vulnerability

On December 17th, 2025, Cisco issued an advisory concerning CVE-2025-20393. The vulnerability affects both physical and virtual appliances where the Spam Quarantine feature is enabled and exposed to the Internet. At the time of the advisory, no patch was available to remediate the flaw, intensifying the risk.

Cisco confirmed that the exploitation of CVE-2025-20393 was first detected on December 10th, 2025, with indications that attacks commenced as early as November 2025. These activities have been attributed to a Chinese Advanced Persistent Threat (APT) group identified as UNC-9686 (also tracked as UAT-9686). Successful exploitation grants attackers full remote control over the compromised device, enabling subsequent malicious activities such as malware deployment.

Attack Chain and Tools

Cisco Talos published a report on December 17th detailing the attacks observed. The exploitation of CVE-2025-20393 led to the deployment of several custom tools by the threat actors:

  • AquaShell: A Python-based webshell designed to receive and execute encoded commands within the system shell. Webshells provide persistent remote access and control over a compromised server.
  • AquaTunnel and Chisel: These are reverse SSH tunneling tools. Their deployment facilitates unauthorized remote access by establishing encrypted connections from the compromised host to an attacker-controlled server, bypassing firewall restrictions. This capability allows threat actors to maintain covert access and move laterally within the network.
  • AquaPurge: A log-clearing tool used to erase evidence of the compromise, complicating incident response and forensic analysis.

The deployment of these tools indicates a structured and deliberate approach by the threat group, focused on establishing persistence, exfiltrating data, and evading detection.

CISA’s Response and Broader Implications

The severity of CVE-2025-20393 and its active exploitation prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog on December 17th. This action requires Federal Civilian Executive Branch (FCEB) agencies to apply recommended mitigation steps within one week, setting a deadline of December 24th, 2025, as mandated by Binding Operational Directive (BOD) 22-01. CISA’s inclusion of a vulnerability in its KEV catalog serves as a clear signal of immediate and significant risk.

The incident involving CVE-2025-20393 is not isolated. A critical RCE flaw (CVE-2025-14733) impacting over 115,000 WatchGuard Firebox devices also recently saw active exploitation. Shadowserver identified thousands of unpatched instances exposed online, highlighting the widespread nature of such vulnerabilities and the potential for broad impact. CISA similarly added this WatchGuard vulnerability to its KEV catalog, emphasizing that these types of flaws represent frequent attack vectors. These examples demonstrate a consistent pattern: highly critical vulnerabilities, often zero-days, are rapidly weaponized and exploited by sophisticated actors. This necessitates organizations to maintain a robust cyber threat intelligence platform for proactive threat awareness and breach detection capabilities to identify compromises swiftly.

Broader Context: The Landscape of Exploited Vulnerabilities

The addition of CVE-2025-20393 to CISA’s KEV catalog aligns with a broader trend of government agencies flagging vulnerabilities that are actively or historically exploited. Understanding this context is essential for effective cybersecurity strategy.

Consider the case of CVE-2025-59374, an ASUS Live Update vulnerability. This flaw, rated 9.3 (Critical) on the CVSS scale, documents the “ShadowHammer” supply-chain attack from 2018-2019, where maliciously modified ASUS Live Update binaries were delivered to targeted systems. Despite being a historical incident, CISA added it to its KEV catalog in late 2025. This action signals that while a vulnerability might not be under new active exploitation, its historical exploitation and potential for future re-weaponization or continued impact on unpatched legacy systems make it a persistent risk. Such retrospective classifications inform organizations about long-standing risks, particularly relevant for supply-chain risk monitoring. It stresses that even End-of-Life (EoL) software or seemingly resolved issues can remain relevant for risk assessment.

Another example of sophisticated attack methodologies is seen in the distribution of EtherRAT malware, which exploits the React2Shell vulnerability (CVE-2025-55182). This multi-stage attack not only aims for foothold and information theft but also specifically targets cryptocurrency. The malware utilizes unique methods to obtain its Command and Control (C2) address by querying an Ethereum contract, demonstrating advanced evasion and resilience. Attackers in this campaign are observed using automated scripts to scan and attack randomly generated IP addresses across various ports, indicating a non-targeted, opportunistic approach to exploitation.

The EtherRAT example highlights several critical elements:

  • Sophisticated C2 Mechanisms: Relying on blockchain (Ethereum contracts) for C2 discovery demonstrates an advanced approach to maintain communication channels and resist traditional network-based blocking. This level of sophistication necessitates advanced underground forum intelligence and telegram threat monitoring to identify discussions and shared techniques among threat actors.
  • Data Exfiltration and Cryptocurrency Theft: The malware collects a wide array of system information, including OS details, domain information, antivirus data, and critical cryptocurrency wallet information. It actively scans for BIP39 strings used for wallet recovery, indicating a direct financial motivation. This type of threat underlines the importance of dark web monitoring service and brand leak alerting to detect compromised credentials or financial data.
  • Geopolitical Exclusions: The EtherRAT scripts contain code that specifically excludes attacks on countries of the former Soviet Union (e.g., Russia, Belarus, Kazakhstan). Such exclusions are common among certain threat groups, providing insights into their origins and objectives, further emphasizing the need for granular cyber threat intelligence platform capabilities.

These incidents collectively illustrate a threat landscape where zero-day vulnerabilities, supply chain compromises, and sophisticated malware distribution are common. Organizations must move beyond reactive patching to embrace comprehensive proactive security strategies driven by intelligence.

Immediate Actions and Strategic Safeguards

Effective response to vulnerabilities like CVE-2025-20393 requires a two-pronged approach: immediate technical mitigation for engineers and strategic planning for business leaders.

Technical Measures for Engineers

Given the active exploitation and the lack of a patch for CVE-2025-20393, the following steps are crucial:

  1. Verify Spam Quarantine Status: Determine if the Spam Quarantine feature is enabled on Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. This is the primary indicator of exposure.
  2. Mitigation for Exposed Systems: If the Spam Quarantine feature is enabled and exposed to the Internet, Cisco advises restoring the appliance to a secure configuration from a known good backup or replacing the Virtual Appliance if a clean state cannot be ensured.
  3. Reduce Exposure: Review current network configurations to ensure that appliances are not unnecessarily exposed to the Internet. Limiting external access reduces the attack surface.
  4. Disable Unnecessary Services: Disable any network services, such as HTTP and FTP, that are not strictly required for business operations on these appliances.
  5. Endpoint Detection and Response (EDR) Deployment: Confirm that EDR agents are deployed across all corporate assets, including workstations and servers. EDR solutions can detect post-exploitation activities such as webshell deployment, SSH tunneling (e.g., Chisel, AquaTunnel), and unauthorized process execution, even without specific vulnerability patches.
  6. Consult Cisco Advisory: Refer to the full Cisco advisory for additional hardening recommendations and the most up-to-date guidance.
  7. Log Analysis: Monitor for suspicious activity, including anomalous Node.js processes in unexpected paths (as seen with EtherRAT), access history to Ethereum contract queries for C2 (EtherRAT), and connections to known C2 infrastructure (like 91.215.85[.]42:3000 or 193[.]24[.]123[.]68:3001 from EtherRAT analysis).
  8. Indicators of Compromise (IoCs): Deploy available IoCs, such as MD5 hashes and URLs related to AquaShell, AquaTunnel, Chisel, AquaPurge, or EtherRAT components, across network and endpoint security controls to identify existing compromises.

Organizational Strategy for Business Leaders

Beyond immediate technical fixes, business leaders must implement strategic safeguards to manage persistent cyber risks:

  1. Cyber Threat Intelligence Integration: Invest in and operationalize a robust cyber threat intelligence platform. This platform should provide real-time ransomware intelligence and live ransomware API feeds to understand emerging threats, including zero-day exploits and APT group tactics, techniques, and procedures (TTPs) like those used by UNC-9686. This enables proactive defense rather than reactive responses.
  2. Proactive Breach Detection: Implement advanced breach detection capabilities that go beyond signature-based solutions. This includes behavioral analytics, AI/ML-driven anomaly detection, and continuous monitoring to identify indicators of compromise that might precede or follow a successful exploit.
  3. Supply-Chain Risk Management: Establish comprehensive supply-chain risk monitoring programs to assess and mitigate risks from third-party software and hardware components. The ASUS ShadowHammer incident serves as a reminder that vulnerabilities can exist deep within the supply chain and resurface years later.
  4. Vulnerability Management Program: Maintain a disciplined vulnerability management program that includes regular scanning, patching, and configuration reviews. While zero-days present unique challenges, minimizing known vulnerabilities reduces the overall attack surface.
  5. Incident Response Planning: Develop and regularly test a comprehensive incident response plan. This plan should include procedures for containment, eradication, recovery, and communication, ensuring the organization can respond effectively to a major breach.
  6. Dark Web and Underground Forum Monitoring: Utilize dark web monitoring service and underground forum intelligence to gain insight into threat actor discussions, sales of exploits, and disclosure of vulnerabilities. This intelligence can provide early warnings of potential threats, including details about specific APT groups or new malware strains. Telegram threat monitoring is also increasingly relevant for tracking communications in these channels.
  7. Brand Leak Alerting: Implement brand leak alerting to monitor for the exposure of sensitive organizational data, intellectual property, or employee credentials on public platforms or illicit online communities, especially following data exfiltration events that frequently accompany RCE exploits.

How PurpleOps Addresses Zero-Day Threats and Advanced Attacks

PurpleOps offers a comprehensive suite of services designed to help organizations navigate the complexities of zero-day vulnerabilities and advanced persistent threats like CVE-2025-20393. Our approach integrates proactive intelligence with robust defensive and offensive security capabilities.

Our cyber threat intelligence platform is engineered to provide granular, actionable intelligence, including real-time ransomware intelligence and a live ransomware API. This allows organizations to stay ahead of adversaries by understanding their TTPs, C2 infrastructure, and emerging threats, enabling the pre-emptive configuration of defenses against groups like UNC-9686 and their custom tools.

PurpleOps’ breach detection capabilities leverage advanced analytics and expert human analysis to identify even the most subtle indicators of compromise. This includes detecting the deployment of webshells like AquaShell, the establishment of tunneling tools like Chisel and AquaTunnel, and other post-exploitation activities often missed by traditional security tools.

For organizations concerned about the insights gleaned from illicit online activity, our dark web monitoring service, underground forum intelligence, and telegram threat monitoring provide crucial visibility. We track threat actor communications, exploit discussions, and data breaches, offering early warnings and contextual understanding of threats that could impact your operations, including sophisticated C2 mechanisms seen in EtherRAT.

Recognizing the pervasive risk of compromised software, PurpleOps provides supply-chain information security services. We help assess and mitigate risks stemming from third-party components and vendor software, drawing lessons from incidents like the ASUS ShadowHammer attack to protect against long-tail supply chain vulnerabilities.

To proactively test an organization’s resilience against RCEs and APT-style attacks, PurpleOps offers red team operations and penetration testing. These services simulate real-world attacks, uncovering exploitable vulnerabilities and validating the effectiveness of existing security controls, ensuring readiness against sophisticated adversaries. Our protect ransomware services, while focused on ransomware, also provide foundational security against the initial access vectors, such as RCE vulnerabilities, that often precede ransomware deployment.

Finally, our brand leak alerting service provides continuous monitoring for the exposure of sensitive information related to your organization. In the aftermath of a potential RCE and data exfiltration, this service is critical for rapidly identifying and addressing compromised data before it can be further leveraged by threat actors.

PurpleOps enables organizations to build a resilient security posture, capable of detecting, preventing, and responding to the most advanced cyber threats.

For more information on how PurpleOps can enhance your organization’s security posture and protect against critical vulnerabilities, explore our capabilities:

Frequently Asked Questions (FAQ)

Q: What is CVE-2025-20393?
A: CVE-2025-20393 is a critical Remote Code Execution (RCE) zero-day vulnerability with a CVSS score of 10. It affects Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, allowing attackers full remote control over compromised devices.

Q: Which Cisco products are affected by CVE-2025-20393?
A: The vulnerability affects both physical and virtual Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances where the Spam Quarantine feature is enabled and exposed to the Internet.

Q: Who is exploiting CVE-2025-20393?
A: The exploitation has been attributed to a Chinese Advanced Persistent Threat (APT) group identified as UNC-9686 (also tracked as UAT-9686).

Q: What are the immediate mitigation steps for CVE-2025-20393 given there’s no patch?
A: Immediate steps include verifying if the Spam Quarantine feature is enabled and exposed to the Internet, restoring the appliance from a known good backup or replacing it if a clean state cannot be ensured, reducing overall exposure to the internet, disabling unnecessary services, and deploying EDR agents to detect post-exploitation activities. Always consult Cisco’s official advisory for the most current guidance.

Q: How can organizations proactively defend against zero-day RCEs like this?
A: Proactive defense involves integrating robust cyber threat intelligence, implementing advanced breach detection capabilities, establishing supply-chain risk monitoring, maintaining a disciplined vulnerability management program, developing and testing incident response plans, and utilizing dark web/underground forum monitoring to anticipate threats.