Cisco patches 0-day RCE in Secure Email Gateway

Cisco patches 0-day RCE in Secure Email Gateway

Cisco released fixes for CVE-2025-20393 (CVSS 10) in AsyncOS for Secure Email Gateway and Secure Email & Web Manager after confirming a China-linked APT (UAT-9686) had exploited it as a zero-day. The flaw stems from insufficient HTTP request validation in the Spam Quarantine feature and can yield root-level command execution if the feature is internet-exposed. Cisco also detailed attacker tooling (ReverseSSH/AquaTunnel, Chisel, AquaPurge, a Python backdoor “AquaShell”) and listed fixed versions across 15.x–16.x trains, alongside hardening guidance (segmentation, disable HTTP admin, turn off unused services).

Cisco has shipped emergency fixes for a maximum-severity bug in its Secure Email Gateway and Secure Email & Web Manager. The issue, CVE-2025-20393 (CVSS 10), lurks in the Spam Quarantine component and—if that feature is exposed to the internet—lets attackers run commands as root. That’s not a great look for a device meant to keep bad emails out.

What actually went wrong
A flaw in HTTP request validation meant crafted requests could hop straight into the underlying OS. Cisco says a China-nexus actor, UAT-9686, had been exploiting the weakness since late November 2025, dropping tunnelling tools and a lightweight Python backdoor (“AquaShell”) to persist. If your gateway is reachable from the open web with Spam Quarantine enabled, you were in the danger zone.

Fixed versions & quick wins
Patches are available across supported AsyncOS trains (15.x–16.x). Beyond updating, Cisco urges the basics: keep the appliance behind a firewall, disable HTTP on the admin portal, turn off unused network services, and enforce strong, federated authentication (SAML/LDAP). Also review logs for odd outbound traffic—these appliances shouldn’t be chatting to the world in unusual ways.

Why you should care
Email gateways remain prime real estate for attackers: high privilege, lots of traffic, and often overlooked in hardening programmes. Treat them like any other high-value asset—strict network boundaries, minimal features enabled, and prompt patching.

Action for admins today: patch to the listed fixed builds, confirm Spam Quarantine exposure is removed, rotate creds, and audit for the named tooling/backdoor indicators. Then schedule a retest.