Cisco Patches Critical Zero-Day Flaw in AsyncOS (CVE-2025-20393)
▼ Summary
– Cisco has released security updates to fix CVE-2025-20393, a zero-day vulnerability in its Email Security Gateway and Secure Email and Web Manager devices that was exploited by suspected Chinese attackers.
– The flaw, due to insufficient HTTP request validation in the Spam Quarantine feature, allowed unauthenticated attackers to execute arbitrary commands with root privileges.
– Attackers installed multiple backdoor and tunneling tools on a limited number of compromised appliances that had the internet-reachable Spam Quarantine feature enabled.
– Cisco provides specific AsyncOS version upgrades for each affected device model, and the US CISA had previously mandated federal agencies to address this vulnerability.
– The fix addresses the vulnerability and removes the identified attacker persistence mechanisms, with Cisco advising customers to apply the updates and further harden their devices.
Cisco has released crucial security patches for a critical zero-day vulnerability actively exploited in the wild, targeting its Email Security Gateway and Secure Email and Web Manager appliances. The flaw, tracked as CVE-2025-20393, resides in the AsyncOS software and has been leveraged by suspected state-sponsored actors since at least November 2025. Organizations using these devices must apply the updates immediately to prevent unauthorized system access.
The vulnerability stems from insufficient validation of HTTP requests by the Spam Quarantine feature. This oversight allows an unauthenticated attacker to send a specially crafted HTTP request to a vulnerable device. Successful exploitation grants the threat actor the ability to execute arbitrary commands with root-level privileges on the appliance’s underlying operating system, providing complete control over the system.
Investigations by Cisco Talos revealed that attackers deployed a suite of malicious tools on a limited number of compromised appliances. This toolkit included a custom Python backdoor known as AquaShell, a log-erasure utility called AquaPurge, a reverse SSH backdoor named AquaTunnel, and the open-source tunneling tool Chisel for traffic proxying. It is important to note that only appliances with the Spam Quarantine feature enabled and directly accessible from the internet were vulnerable to this attack chain. Cisco has emphasized that this feature is not active by default, which limited the potential attack surface.
Following the initial disclosure of in-the-wild exploitation in mid-December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. This action mandated all federal civilian agencies to implement Cisco’s provided mitigations. With the full security updates now available, all affected customers must proceed with upgrading their systems.
To remediate the vulnerability, administrators need to install the specified AsyncOS versions. For Email Security Gateway appliances, upgrade to AsyncOS v15.0.5-016, 15.5.4-012, or 16.0.4-016 and later. For Secure Email and Web Manager devices, upgrade to AsyncOS v15.0.2-007, 15.5.4-007, or 16.0.4-010 and later. The patching process will trigger an automatic reboot of the appliance.
Cisco confirms that the update not only addresses the root cause of the vulnerability but also removes the persistence mechanisms identified in this campaign. The company further advises organizations to take additional steps to harden their device configurations beyond simply applying the patch, ensuring a more robust security posture against future threats.
(Source: HelpNet Security)
