Cisco patches maximum-severity AsyncOS flaw that was under active attack

TL;DR

Cisco released software updates to fix CVE-2025-20393, a maximum-severity AsyncOS vulnerability that attackers exploited for weeks. The bug affected some Secure Email Gateway and Secure Email and Web Manager appliances and allowed arbitrary root-level command execution and persistence.

What happened

Cisco has issued updates to close a critical vulnerability in AsyncOS (CVE-2025-20393) after evidence that attackers were actively exploiting the flaw for weeks. The company first detected targeting of affected appliances on December 10 and publicly disclosed the vulnerability on December 17. Cisco’s advisory says the exploit permits threat actors to run arbitrary commands with root privileges on qualifying Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, and that investigators found indicators of a persistence mechanism implanted by intruders. Cisco’s Talos team attributed the campaign to UAT-9686, a group described as China-linked, and reported activity dating back to at least late November 2025. Cisco told customers on Thursday that fixes are available; the updates are said to remove persistence mechanisms that may have been installed. Cisco recommended affected customers upgrade to patched releases and contact its Technical Assistance Center for support. The company did not provide a count of compromised appliances when asked.

Why it matters

• Root-level command execution lets attackers take full control of affected appliances, posing a severe risk to network security.
• Persistence mechanisms can keep intruders present even after initial remediation, complicating recovery.
• SEG and SEWM appliances sit at the email/web perimeter, so compromise can affect inbound filtering and potentially downstream systems.
• Active exploitation over weeks increases the chance of multiple, unseen compromises and urgent patching needs.

Key facts

• Vulnerability tracked as CVE-2025-20393.
• Impacted products: some Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
• Cisco first became aware of attackers targeting the appliances on December 10 (year not explicitly stated in the source but tied to the CVE and Talos timeline).
• Cisco disclosed the vulnerability publicly on December 17.
• Talos attributed the intrusions to UAT-9686, described in the advisory as China-linked, and reported activity since at least late November 2025.
• Attackers could execute arbitrary commands with root privileges on affected devices, per Cisco’s advisory.
• Cisco’s released updates remove persistence mechanisms that may have been installed during the campaign.
• Cisco urged affected customers to upgrade to fixed software releases and to contact the Cisco Technical Assistance Center for help.
• Cisco did not disclose how many appliances had been compromised when asked.

What to watch next

• Whether Cisco publishes indicators of compromise or detailed forensic guidance for affected customers (not confirmed in the source).
• If additional affected devices or compromises are discovered during remediation efforts (not confirmed in the source).
• Any follow-up disclosures about the scale of infections or attribution beyond the Talos report (not confirmed in the source).

Quick glossary

• CVE: Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities.
• AsyncOS: Cisco’s operating system used on certain email and web security appliances.
• Persistence mechanism: Techniques or tools implanted by attackers to maintain ongoing access to a compromised system.
• Root privileges: The highest level of access on a system, allowing full control over software and data.

Reader FAQ

Which Cisco products were affected?
Some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances were identified as affected.

Has Cisco released a patch?
Yes. Cisco notified customers that it released software updates that address the vulnerability and remove potential persistence mechanisms.

Who did the attacks?
Cisco Talos attributed the intrusions to UAT-9686, described as China-linked in its report.

How many appliances were compromised?
Not confirmed in the source.

PATCHES Cisco finally fixes max-severity bug under active attack for weeks This is a threat to security – and to the weekend for some unlucky netadmins Jessica Lyons Thu 15 Jan 2026 //…

Sources

• Cisco finally fixes max-severity bug under active attack for weeks

Related posts

• Chinese spies used Maduro’s capture as a lure to phish US govt agencies
• European forces deploy to Greenland amid tensions over Arctic security
• Single‑bit flip in AMD CPUs allows VM breach via SEV‑SNP stack engine