​Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.

This yet-to-be-patched zero-day (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations, when the Spam Quarantine feature is enabled and exposed on the Internet.

Cisco Talos, the company's threat intelligence research team, believes a Chinese threat group tracked as UAT-9686 is behind attacks abusing this security flaw to execute arbitrary commands with root and deploy AquaShell persistent backdoors, AquaTunnel and Chisel reverse SSH tunnel malware implants, and a log-clearing tool named AquaPurge. Indicators of compromise are available in this GitHub repository.

AquaTunnel and other malicious tools used in these attacks have also been linked in the past with other Chinese state-backed hacking groups such as UNC5174 and APT41.

"We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups," Cisco Talos said in a Wednesday advisory.

"As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs."

While the company spotted these attacks on December 10, the campaign has been active since at least late November 2025.

Restrict access to vulnerable appliances

While Cisco has yet to release security updates to address this zero-day flaw, the company advised administrators to secure and restrict access to vulnerable appliances. Recommendations include limiting internet access, restricting connections to trusted hosts, and placing appliances behind firewalls to filter traffic.

Admins should also separate mail-handling and management functions, monitor web logs for unusual activity, and retain logs for investigations.

It's also advised to disable unnecessary services, keep systems up to date with the latest Cisco AsyncOS software, implement strong authentication methods such as SAML or LDAP, change default passwords, and use SSL or TLS certificates to secure management traffic.

Cisco asked customers who want to check whether their appliances have already been compromised to open a Cisco Technical Assistance Center (TAC) case, and it strongly recommends following the guidance in the Recommendations section of today's security advisory.

"If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible," Cisco warned.

"If restoring the appliance is not possible, Cisco recommends contacting TAC to check whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance."