Cisco has disclosed a zero‑day vulnerability in AsyncOS that is actively being exploited, with a CVSS of 10.0. The Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its KEV catalog. Review this Cybersecurity Threat Advisory to reduce exposure and mitigate your risk.
What is the threat?
The flaw, tracked as CVE‑2025‑20393, is an unauthenticated remote command‑execution (RCE) in Cisco AsyncOS. When the Spam Quarantine feature is internet‑exposed, attackers can execute commands as root on Secure Email Gateway and Secure Email and Web Manager appliances.
This is attributed to an advanced persistent threat (APT) group known as UAT 9686. These threat actors use:
- AquaTunnel / ReverseSSH, Chisel – tunneling tools enabling covert remote access
- AquaPurge – a log‑cleaning utility designed to suppress evidence
- AquaShell – a lightweight backdoor that listens for hidden commands delivered through unauthenticated HTTP POST requests
Cisco has reported that the attackers’ persistent mechanisms can survive reboots and some administrative changes. Activity traces back to late November 2025.
Why is it noteworthy?
This vulnerability allows attackers to gain full control of a widely deployed email security platform without authentication. Once inside, they can manipulate email flows, monitor communications, or pivot deeper into the organization’s network.
CISA’s KEV inclusion signals both the seriousness and the likelihood of broader exploitation. At the same time, the industry is seeing increased mass credential‑spraying campaigns against VPN portals such as GlobalProtect and Cisco SSL VPN, highlighting rising pressure on perimeter defenses overall.
What is the exposure or risk?
Root‑level compromise of an email security appliance gives attackers the ability to:
- Read, modify, or reroute email traffic
- Disable filtering and inspection controls
- Establish hidden outbound tunnels that bypass firewalls and monitoring
- Conduct stealthy lateral movement across the internal network
The use of anti‑forensic tools and passive command channels reduces detectable indicators and increases dwell time. Appliances exposing Spam Quarantine externally are at the highest risk. Because there is currently no patch available, and persistence can survive reboots, risk remains until the appliance is properly rebuilt.
What are the recommendations?
Barracuda strongly advises organizations to take the following actions immediately:
- Verify whether Spam Quarantine is enabled and publicly accessible; if so, block external access or restrict it to trusted IPs.
- Place appliances behind a firewall and never expose administrative interfaces to the public internet.
- Separate mail and management traffic, disable HTTP administration, and shut down unnecessary services.
- Enforce MFA and update any default or weak administrative credentials.
- Watch for unusual POST requests to quarantine pages, unexpected outbound tunnels, or anomalous command activity.
- Immediately isolate the device, rebuild it from a clean image, and rotate all associated passwords, tokens, and certificates.
- Follow Cisco advisories closely and apply fixes as soon as possible.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.