Cisco has issued a fix for a critical vulnerability in its AsyncOS software, which has been under active attack for at least a month. The vulnerability, identified as CVE-2025-20393, affects specific models of the Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
Details of the Vulnerability
The issue was disclosed by Cisco on December 17, following the company’s awareness of active exploitation starting December 10. According to Cisco’s security advisory, the vulnerability allows attackers to execute arbitrary commands with root privileges on the affected appliances. Furthermore, the investigation has uncovered a persistence mechanism that attackers may use to maintain control over compromised systems.
Attribution and Ongoing Threats
Cisco’s threat intelligence division, Talos, has attributed the attacks to a China-linked group known as UAT-9686, indicating that these intrusions have been ongoing since at least late November 2025. Despite inquiries, Cisco has not disclosed how many appliances have been compromised.
Mitigation Measures
On January 15, Cisco announced the release of software updates to address the vulnerability. These updates not only fix the security issue but also aim to eliminate any persistence mechanisms that may have been installed during the attack. A Cisco spokesperson emphasized the importance of affected customers upgrading to the appropriate fixed software release as outlined in the updated security advisory.
Customer Support and Recommendations
Cisco strongly advises customers needing assistance to contact the Cisco Technical Assistance Center. While the company has provided a solution to mitigate the vulnerability, the extent of the compromise remains unclear, as they have not responded to requests for information regarding the number of affected appliances.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
