Cisco on Thursday introduced patches for a vulnerability in Safe E mail Gateway (previously ESA) and Safe E mail and Net Supervisor (previously Content material SMA) that has been exploited in assaults.
Tracked as CVE-2025-20393 (CVSS rating of 10/10), the safety defect was disclosed on December 17, one week after Cisco’s Talos researchers noticed its in-the-wild exploitation as a zero-day.
“This assault permits the risk actors to execute arbitrary instructions with root privileges on the underlying working system of an affected equipment,” Cisco stated on the time.
The corporate stated the assaults focused solely a small set of home equipment, and attributed the marketing campaign to UAT-9686, a China-linked APT.
On Thursday, Cisco up to date its advisory to supply info on the flaw, the affected merchandise, and the accessible patches.
The flaw impacts the Spam Quarantine function of the AsyncOS software program operating on Safe E mail Gateway and Cisco Safe E mail and Net Supervisor, and exists resulting from inadequate validation of HTTP requests.Commercial. Scroll to proceed studying.
This enables unauthenticated, distant attackers to ship crafted HTTP requests to a weak equipment, leading to arbitrary command execution on the underlying working system, with root privileges.
The vulnerability was resolved in AsyncOS variations 15.0.5-016, 15.0.5-016, 15.5.4-012, and 16.0.4-016 for E mail Safety Gateway, and in AsyncOS variations 15.0.2-007, 15.5.4-007, and 16.0.4-010 for E mail and Net Supervisor.
There aren’t any workarounds for the bug. Customers can replace their software program over the community, through the System Improve choices accessible within the home equipment’ web-based administration interface.
“Cisco recommends upgrading the affected home equipment to a hard and fast software program launch. The repair addresses the vulnerability utilized by risk actors and clears the persistence mechanisms that had been recognized on this assault marketing campaign and put in on the home equipment,” Cisco notes.
UAT-9686 exploited the Cisco zero-day since at the very least November 2025 to deploy the Python-based backdoor AquaShell, together with the reverse SSH tunnel AquaTunnel (aka ReverseSSH), the Chisel tunneling instrument, and the log-clearing utility AquaPurge.
Associated: CISA Updates Steering on Patching Cisco Units Focused in China-Linked Assaults
Associated: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Associated: Exploit for VMware Zero-Day Flaws Seemingly Constructed a 12 months Earlier than Public Disclosure
Associated: Hackers Exploit Zero-Day in Discontinued D-Hyperlink Units
