Overview
- The unpatched AsyncOS flaw CVE-2025-20393 enables unauthenticated root command execution on Secure Email Gateway and Secure Email and Web Manager when the Spam Quarantine feature is reachable from the internet.
- Cisco says it learned of the campaign on December 10, and Talos reports exploitation has been underway since at least late November 2025.
- Post-compromise tooling includes the AquaShell Python backdoor, tunneling via AquaTunnel and chisel, and the AquaPurge log-clearing utility to maintain access and reduce traces.
- Cisco has released indicators of compromise, blocked them across its portfolio, and advises that confirmed compromises require wiping and rebuilding affected appliances.
- CISA added the CVE to its Known Exploited Vulnerabilities catalog, and internet scans by Shadowserver and Censys indicate exposure in the hundreds of systems with activity described as targeted.