Leading technology company Cisco has disclosed a zero-day vulnerability being exploited in a new campaign. The flaw, tracked as CVE-2025-20393, affects multiple widely-used products running Cisco AsyncOS Software: Cisco Secure Email Gateway, Secure Email, and Web Manager appliances, both physical and virtual. AsyncOS appliances are particularly attractive targets for attackers, as they offer wide access and control of systems that can enable further malicious activity.
Active Exploitation, Not a Theoretical Risk
The campaign was discovered on December 10th and disclosed by Cisco in a publication a week later, on the 17th. While several products are affected, there are additional conditions required for exploitation, including the Spam Quarantine feature—which is not enabled by default—being enabled and reachable from the internet. The flaw enables attackers to execute arbitrary commands with high privileges on targeted appliances.
The investigation into the campaign has observed real-world intrusions installing persistent backdoors for further access. Threat actors have planted persistence mechanisms on compromised appliances to keep their access and control over them going forward. The active exploitation by malicious actors and the establishment of persistent access has significant implications for the severity of this vulnerability.
Full Privileges, Full Control
This vulnerability and campaign are concerning as they allow SYSTEM/root-level access, granting attackers the highest level of privilege within compromised systems. Persistence on security appliances is especially dangerous, jeopardizing the very tools and infrastructure in place to protect sensitive systems. The possibility of lateral movement and deeper network compromise poses a significant risk to organizations.
The level of access and privileges obtained by threat actors can have severe consequences on the appliances compromised in these attacks. “Attackers gaining root access to Secure Email and Web Manager appliances, particularly those exposing Spam Quarantine to the Internet, can transform compromised gateways into launchpads for persistent backdoors and lateral movement within a network,” says John Carberry, Solution Sleuth, Xcape.
No Patch, No Cleanup—Only Rebuild
According to Cisco’s guidance, there is no patch or workaround for this issue—rebuilding appliances is currently the only way to remediate the risk. Traditional incident response playbooks fall short in the face of systemic flaws like this that compromise security tools and enable persistent access to critical systems.
This has significant operational and trust implications for security teams, undermining major tools used by many organizations. “When Cisco's only remediation is ‘rebuild the appliance from scratch,’ you know the attackers embedded their persistence mechanisms deep,” according to Michael Bell, Founder & CEO, Suzu Labs. “If you're running Cisco Secure Email Gateway or Secure Email and Web Manager with Spam Quarantine exposed to the internet, assume compromise and act accordingly.”
CISA Sounds the Alarm
The United States Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its database of Known Exploited Vulnerabilities (KEVs), highlighting the significance of the flaw and its active exploitation. The KEV designation signals to federal agencies and enterprises alike that the vulnerability is severe enough to require attention and remediation where possible.
The cadence of adding KEVs tied to perimeter and security tooling is indicative of major security gaps that attackers are increasingly taking advantage of. The fact that vulnerabilities like this are being actively exploited by threat actors indicates the appeal of certain tools for exploitation, highlighting where organizations of all kinds should be focusing their attention.
The Bigger Pattern: Trusted Tools as Trojan Horses
The Cisco vulnerability and active exploitation is not an isolated incident, but one part of a larger trend of attackers increasingly abusing legitimate software and security infrastructure. The attack shows parallels to other living-off-the-land and post-exploitation trends in campaigns that establish persistent access on critical systems. Security products now represent concentrated trust and access, with single tools and platforms having widespread access that threat actors can take advantage of.
Rethinking Trust in the Security Stack
It is crucial to take such a pervasive flaw as a sign to shift the approach to security, highlighting the need for deeper telemetry and behavioral monitoring of security tools. Organizations must treat security appliances as high-risk assets, not ones that they can simply assume are safe by default. Future architecture and resilience planning must account for risks like this, recognizing that all tools and appliances must be secured and monitored, lest they fall to the wayside and become attractive targets for attackers.
