On December 17, 2025, Cisco published an advisory detailing a new threat campaign identified on December 10, affecting the Cisco AsyncOS software used on Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The campaign is exploiting an unpatched zero-day vulnerability, which only affects deployments with the Spam Quarantine feature enabled. It allows threat actors to execute arbitrary commands with root privileges on affected devices. This feature is not enabled by default.
In their investigation into this campaign, Cisco Talos identified evidence demonstrating that threat actors had deployed AquaShell — a Python-based backdoor used to maintain persistence over compromised appliances. Cisco Talos attributes the campaign to a threat actor they refer to as UAT-9686, which is assessed with moderate confidence to be a China-affiliated actor.
Upon learning of the campaign, Arctic Wolf began monitoring for known indicators of compromise and contacted any customers with matches. If any malicious activity is identified, Arctic Wolf® Managed Detection and Response (MDR) customers will be alerted accordingly.
Cisco has indicated that they will continue to investigate this campaign and will update their advisory as new details emerge.
Vulnerability Scope
This campaign affects both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances when these conditions apply:
- The appliance uses the Spam Quarantine feature
- The Spam Quarantine feature is accessible from the internet
The Spam Quarantine feature is not enabled by default, and Cisco notes that the Spam Quarantine feature isn’t required to be exposed on the public internet in their official deployment guides.
Cisco stated they have confirmed that all devices that are part of Cisco Secure Email Cloud are not affected, and they are not aware of any exploitation activity against Cisco Secure Web.
Recommendations for CVE-2025-20393
Remove Spam Quarantine Port From Public Internet and Filter Traffic to Appliances
Cisco recommends that the Spam Quarantine service is configured so that it isn’t exposed to the public internet. Organizations should configure any such deployments to restrict access to trusted hosts only. By default, this service runs on port 6025.
Cisco also recommends that all traffic to and from the Secure Email Gateway is filtered through a firewall, only allowing connections from trusted hosts. This further limits the potential for exploitation.
Apply Patches When They Are Made Available
Cisco has not yet released security updates for this vulnerability, but is expected to do so within the coming weeks. Arctic Wolf strongly recommends monitoring Cisco’s advisory and apply patches when they are made available.
Configure the Arctic Wolf MDR Integration
If your organization uses the affected products and you are a customer of Arctic Wolf Managed Detection and Response, it is strongly recommended that you configure the Cisco Secure Email Gateway integration to provide Arctic Wolf with visibility into potentially malicious activity.
Contact Cisco TAC for Support
Cisco encourages customers who wish to determine whether their appliances may have been compromised to open a Cisco Technical Assistance Center (TAC) case.
Apply General Security Hardening to Limit Exposure
In addition to the above recommendations, Cisco provides a list of hardening recommendations to help better secure appliances:
- Block internet access to appliances unless absolutely required; if needed, restrict to trusted hosts and approved ports/protocols
- Place appliances behind a firewall (preferably two-layered) and filter all inbound/outbound traffic to allow only known, trusted sources
- Separate mail-handling and management interfaces on Cisco Secure Email Gateway to limit internal network exposure
- Monitor logs regularly for unusual activity and store them externally for future investigations
- Disable unnecessary services such as HTTP and FTP, including HTTP access to the admin portal
- Upgrade to the latest Cisco AsyncOS Software version
- Implement strong authentication methods (e.g., SAML or LDAP)
- Change default administrator passwords and use role-based user accounts for better access control
- Secure management traffic with SSL/TLS certificates from a trusted CA or self-signed options
