Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/CyberSecurity News/Cisco 0-Day RCE Secure Email Gateway Vulnerability Exploited in the Wild
CyberSecurity News

Cisco 0-Day RCE Secure Email Gateway Vulnerability Exploited in the Wild

Cisco has confirmed active exploitation of a critical zero-day remote code execution vulnerability impacting its Secure Email Gateway and Secure Email and Web Manager appliances. Tracked as...

Jennifer sherman
Jennifer sherman
January 16, 2026 2 Min Read
32 0

Cisco has confirmed active exploitation of a critical zero-day remote code execution vulnerability impacting its Secure Email Gateway and Secure Email and Web Manager appliances.

Tracked as CVE-2025-20393, the flaw allows unauthenticated attackers to execute arbitrary root-level commands via crafted HTTP requests to the Spam Quarantine feature.

The vulnerability stems from insufficient validation of HTTP requests in the Spam Quarantine feature of Cisco AsyncOS Software, enabling remote command execution with root privileges on affected appliances.

Classified under CWE-20 (Improper Input Validation), it scores a maximum CVSSv3.1 base of 10.0, highlighting its network accessibility, low complexity, and full impact on confidentiality, integrity, and availability.

Exploitation targets appliances where Spam Quarantine is enabled and exposed to the internet, typically on port 6025, a configuration not enabled by default and discouraged in deployment guides.

CVE ID CVSS Score Vector String CWE ID Bug IDs
CVE-2025-20393 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE-20 CSCws36549, CSCws52505

Cisco became aware of the attacks on December 10, 2025, with evidence of exploitation dating back to November 2025.

Exploitation Campaign and Threat Actor

Cisco Talos attributes the campaign to UAT-9686 (also UNC-9686), a China-nexus advanced persistent threat actor, with moderate confidence based on tooling overlaps with groups like APT41 and UNC5174.

Attackers deploy a Python-based backdoor called AquaShell for persistent remote access, alongside reverse SSH tunneling tools like AquaTunnel and Chisel for internal pivoting, and AquaPurge for log wiping to evade detection. Targets include telecommunications and critical infrastructure sectors, with post-exploitation focusing on espionage rather than ransomware.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog on December 17, 2025, mandating federal agencies to mitigate by December 24, 2025. No public proof-of-concept exploits exist as of January 2026, but automated scanning has increased.

Indicators of compromise include the implanted persistence mechanism, a covert channel for remote access; Cisco recommends verifying via Technical Assistance Center (TAC) support with remote access enabled.

Mitigation and Fixed Releases

Cisco released patches addressing the vulnerability and removing known persistence mechanisms; no workarounds exist. Administrators should upgrade immediately and confirm Spam Quarantine status via the web interface under Network > IP Interfaces.

Cisco Secure Email Gateway Fixed Releases

Vulnerable Release First Fixed Release
14.2 and earlier 15.0.5-016
15.0 15.0.5-016
15.5 15.5.4-012
16.0 16.0.4-016

Cisco Secure Email and Web Manager Fixed Releases

Vulnerable Release First Fixed Release
15.0 and earlier 15.0.2-007
15.5 15.5.4-007
16.0 16.0.4-010

Additional hardening includes firewalling, separating mail/management interfaces, disabling unnecessary services such as HTTP/FTP, and using strong authentication protocols such as SAML or LDAP.

Cisco Secure Email Cloud services remain unaffected. Organizations should monitor logs externally and contact TAC for compromise assessment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitPatchransomwareSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Google Rolls Out Long-Awaited @gmail.com Email Change Feature for Users

Next Post

Cloudflare Acquired Open-source Web Framework Astro to Supercharge Development

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us