 |
| ⓘ We are reaching out to let you know that there is a newly identified advanced persistent threat (APT) that has been exploiting a zero-day vulnerability in Cisco email security appliances that run AsyncOS. |
Attention constituent:
There has been a newly identified APT, that has been exploiting a zero-day vulnerability in all Cisco email security appliances that have AsyncOS as their underlying operating system. AsyncOS is the operating system for Cisco’s Secure Email Gateway and it is used to protect against malware and spam.
The vulnerability is exploited when the Cisco machines are configured with Spam Quarantine feature and accessible via the Internet. Threat actors can then gain root privileges in AsyncOS and then execute malicious commands that impact both the appliance and connected systems. Cisco has advised their customers to disable Spam Quarantine, as it is a zero-day attack with no working patches available.
Advisory Overview
|
| Advisory Type |
Technical |
| Author |
Etienne Bowleg |
| Date |
6 January 2026 |
What’s Happening
|
| Affected Systems |
- CVE-2025-20393
- All Cisco machines that operate with the underlying AsyncOS are affected and impacted by this vulnerability; all releases and versions of AsyncOS
- Main targets are Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (physical and virtual)
|
| What this Means |
Threat actors can use the CVE-2025-20393 vulnerability as an entry point into the system and execute system-level commands and deliver various malware. The CVE-2025-20393 is related to improper input validation and this allows the threat actor to execute arbitrary commands with root privileges on the operating system of the affected appliance. The vulnerability also allows the threat actor to establish persistence in the system via the use of tunneling tools so that the operating system can be accessed at a later time. |
What to Look For
|
| Signs You May Be at Risk |
If you have any appliances that run AsyncOS then you are at risk. The vulnerability is able to be exploited when the Cisco devices are configured with Spam Quarantine enabled and the devices are accessible via the Internet. |
| Signs You May Be Affected |
Navigate to your Web Management Interface and check the settings on your respective interface, if Spam Quarantine is enabled then you are at risk.
Indicators of Compromise (IOC) include:
- AquaTunnel Tool SHA256 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
- AquaPurge Tool SHA256 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
- Chisel Tool SHA256 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
- IP 172.233.67.176
- IP 172.237.29.147
- IP 38.54.56.95
|
What to Do
|
| Prevention and Mitigation
|
- Cisco has advised customers to disable Spam Quarantine because there is no working patch at this time; if compromised you must restore the appliance to a secure configuration and/or rebuild
- Audit all edge devices and enforce strong passwords and multi-factor authentication
- Close all unused or unneeded ports
- Secure all devices behind a firewall to only allow traffic from known and trusted hosts
- Separate mail and management functionality onto different network interfaces
- Monitor web log traffic for any unexpected traffic
- Disable HTTP for main admin portal
|
|
Official Information
|
- https://www.darkreading.com/endpoint-security/cisco-vpns-email-services-threat-campaigns
- https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html
- https://www.cisecurity.org/advisory/a-vulnerability-in-cisco-asyncos-could-allow-for-remote-code-execution_2025-117
- https://www.scworld.com/brief/cisco-patches-critical-zero-day-flaw-exploited-by-china-linked-apt
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected].
Best,
Etienne Bowleg
Security Operations Centre
National Computer Incident Response Team of The Bahamas
