A critical zero-day vulnerability in Cisco AsyncOS software, tracked as CVE-2025-20393, has been actively exploited by a China-nexus advanced persistent threat (APT) group known as UAT-9686. This flaw affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, allowing attackers to execute arbitrary commands with root privileges. The vulnerability, which has a CVSS score of 10.0, results from improper input validation and has been exploited since at least late November 2025. Cisco has identified a limited subset of appliances with certain ports open to the internet as being vulnerable.
In addition to the zero-day vulnerability, a coordinated, automated credential-based campaign has been detected targeting enterprise VPN authentication infrastructure. This campaign involves large-scale scripted login attempts against Cisco SSL VPN and Palo Alto Networks GlobalProtect portals, using common username and password combinations. Over 10,000 unique IPs have been involved in these attempts, indicating a widespread effort to compromise VPN endpoints.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies to implement necessary mitigations by December 24, 2025. This highlights the urgency of addressing this vulnerability to protect critical infrastructure from potential exploitation.
The zero-day vulnerability in Cisco AsyncOS software allows threat actors to execute commands with root privileges on affected appliances. This flaw is particularly dangerous as it enables attackers to maintain control over compromised systems through a persistence mechanism. The vulnerability affects all releases of Cisco AsyncOS Software when the Spam Quarantine feature is enabled and exposed to the internet.
The exploitation of this vulnerability involves the deployment of tunneling tools like ReverseSSH and Chisel, along with a log cleaning utility called AquaPurge. Additionally, a Python backdoor named AquaShell is used to execute encoded commands received via unauthenticated HTTP POST requests. These tools are associated with Chinese hacking groups such as APT41 and UNC5174.
The credential-based campaign targeting VPN infrastructures involves automated login attempts against Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. This activity does not exploit specific vulnerabilities but relies on weak or exposed credentials to gain unauthorized access. The campaign has been observed across multiple countries, including the U.S., Pakistan, and Mexico.
Clients using Cisco Secure Email Gateway and Cisco Secure Email and Web Manager are at risk of operational disruptions due to potential unauthorized access and control by threat actors. The exploitation of the zero-day vulnerability could lead to data breaches, financial losses, and damage to organizational reputation. Additionally, the credential-based attacks on VPN infrastructures pose a risk of unauthorized access to sensitive networks.
Regulatory compliance is also a concern, as failure to address these vulnerabilities could result in audits or penalties from regulatory bodies. Organizations must ensure they meet the mitigation deadlines set by CISA to avoid potential compliance issues.
To mitigate the risks associated with these threats, clients should consider the following actions:
These measures aim to reduce the attack surface and enhance security posture against both zero-day vulnerabilities and credential-based attacks. Organizations should remain vigilant and continuously monitor their systems for signs of compromise.
1898 & Co. is actively addressing the current threat landscape by offering specialized services to help clients secure their networks against emerging threats. Our team is focused on providing tailored solutions that align with industry standards and best practices for cybersecurity.
We are updating our security protocols to incorporate the latest threat intelligence and mitigation strategies. Our collaborative efforts with industry allies and government agencies ensure that we stay ahead of potential threats and provide our clients with timely and effective solutions.
Our ongoing research into threat intelligence gathering allows us to offer clients insights into emerging threats and vulnerabilities. We have successfully assisted clients in mitigating similar threats through our comprehensive security assessments and incident response services.