Cisco has disclosed that a threat group with links to China, tracked as UAT-9686, is exploiting a previously unknown, maximum‑severity vulnerability in its AsyncOS software running on Secure Email Gateway and Secure Email and Web Manager appliances used to filter and manage corporate email traffic. The zero‑day bug, now tracked as CVE-2025-20393, allows attackers to bypass authentication and gain high‑level access on affected systems, and has been under active attack since at least late November 2025, before Cisco became aware of the campaign on December 10. Cisco says the intrusions appear to be part of an espionage‑focused operation rather than financially motivated crime, and so far there is no evidence the flaw affects other Cisco products such as firewalls or routers. While there i...
Cisco has disclosed that a threat group with links to China, tracked as UAT-9686, is exploiting a previously unknown, maximum‑severity vulnerability in its AsyncOS software running on Secure Email Gateway and Secure Email and Web Manager appliances used to filter and manage corporate email traffic. The zero‑day bug, now tracked as CVE-2025-20393, allows attackers to bypass authentication and gain high‑level access on affected systems, and has been under active attack since at least late November 2025, before Cisco became aware of the campaign on December 10. Cisco says the intrusions appear to be part of an espionage‑focused operation rather than financially motivated crime, and so far there is no evidence the flaw affects other Cisco products such as firewalls or routers. While there is currently no software patch, Cisco has published detailed detection guidance, indicators of compromise, and mitigations, giving defenders a practical playbook to secure systems while a permanent fix is developed.
Highlights:
- Targeted customers: The campaign has focused on Cisco customers whose email gateways are reachable from the internet and often belong to large organizations that handle sensitive communications, making them attractive intelligence targets.
- Custom toolset: UAT-9686 deployed a suite of custom-built tools to maintain persistence, move laterally, and exfiltrate data from compromised appliances, indicating a well-resourced and tailored operation rather than off-the-shelf malware use.
- Mitigation guidance: Cisco recommends restricting network access to the management interfaces of Secure Email Gateway and Secure Email and Web Manager, monitoring for specific suspicious processes and connections, and applying new Snort rules it has released to detect exploitation attempts at the network edge.
- Patch timeline: Although Cisco has assigned a maximum CVSS score to CVE-2025-20393, it has not yet provided an estimated release date for a software update that fully remediates the vulnerability in AsyncOS appliances.
- Attribution details: Researchers link UAT-9686 to a China-nexus advanced persistent threat based on infrastructure overlaps and operational patterns consistent with other state-directed espionage campaigns, though Cisco has not publicly associated the group with a specific known APT label.
We are actively working on software fixes for this issue and will release updates as soon as they are available. - Cisco spokesperson
Perspectives:
- Cisco: Cisco emphasizes that the attacks are highly targeted, say it has seen no evidence that other product lines like its core networking gear are affected, and stresses that it is prioritizing development of fixes while providing interim guidance to customers. (TechCrunch)
- Security researchers: Independent security analysts note that compromising email security gateways can give attackers deep visibility into an organization’s messages and authentication flows, making this type of zero-day especially valuable for long-term espionage against governments and enterprises. (SecurityWeek)
- BleepingComputer analysts: Researchers writing for BleepingComputer highlight that the maximum-severity score and active exploitation mean organizations should treat this as a priority incident, even though a formal patch is not yet available. (BleepingComputer)
- The Register commentary: The Register points out that the lack of a clear patch timeline underscores how complex it can be to fix deeply embedded bugs in security appliances that organizations rely on as frontline defenses. (The Register)
Sources:
- Chinese Hackers Breach Cisco’s Email Security Systems - techrepublic.com
- Cisco warns of unpatched AsyncOS zero-day exploited in attacks - bleepingcomputer.com
- Attacks pummeling Cisco AsyncOS 0-day since late November - theregister.com
- China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear - securityweek.com
- Cisco says Chinese hackers are exploiting its customers with a new zero-day - techcrunch.com
- Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances - thehackernews.com