Overview
- Patches for CVE-2025-20393 (CVSS 10.0) are now available for Secure Email Gateway and Secure Email and Web Manager, closing a remote command execution flaw that allowed root access.
- Cisco says the updates also remove persistence mechanisms implanted by the attackers during the campaign.
- Talos reports activity since at least late November 2025 featuring the AquaShell backdoor, ReverseSSH/AquaTunnel and Chisel tunneling tools, and the AquaPurge log wiper.
- Successful exploitation required a vulnerable AsyncOS release with Spam Quarantine enabled and exposed to the internet.
- Cisco is urging immediate upgrades plus hardening steps such as firewalling access, disabling unneeded services like HTTP admin, monitoring logs, enforcing strong authentication, and changing default passwords, while the scope of infections remains undisclosed.