Cisco finally fixes max-severity bug under active attack for weeks
(2026/01/16)
- Reference: 1768520023
- News link: https://www.theregister.co.uk/2026/01/15/cisco_fixes_cve_2025_20393/
- Source link:
Cisco finally delivered a fix for a maximum-severity bug in AsyncOS that has been under attack for at least a month.
The networking giant [1]disclosed the vulnerability , tracked as CVE-2025-20393, on December 17. It affects some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco first became aware of attackers targeting the appliances on December 10.
"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," according to Cisco’s [2]security advisory . "The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances."
[3]
In a subsequent report, Cisco's threat intel arm Talos blamed the intrusions on UAT-9686, a China-linked threat group, and said the [4]attacks have been ongoing "since at least late November 2025."
[5]
At the time, Cisco had no timeline for a fix and did not tell The Register how many appliances had been compromised.
On Thursday, Cisco notified customers that it had released software updates to address the security issue.
[6]Attacks pummeling Cisco AsyncOS 0-day since late November
[7]Patch Cisco ISE bug now before attackers abuse proof-of-concept exploit
[8]A simple CodeBuild flaw put every AWS environment at risk – and pwned 'the central nervous system of the cloud'
[9]Chinese spies used Maduro's capture as a lure to phish US govt agencies
"These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign," a Cisco spokesperson said in a statement emailed to The Register . "Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers needing support should contact the [10]Cisco Technical Assistance Center ."
We asked (again) how many appliances attackers have infected and did not receive any response. But at least now there's a plug to keep the intruders out. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
[2] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWnF8c7BH6GFd-7mXQZJzQAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://blog.talosintelligence.com/uat-9686/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWnF8c7BH6GFd-7mXQZJzQAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
[7] https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc/
[8] https://www.theregister.com/2026/01/15/codebuild_flaw_aws/
[9] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[10] https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
[11] https://whitepapers.theregister.com/
The networking giant [1]disclosed the vulnerability , tracked as CVE-2025-20393, on December 17. It affects some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco first became aware of attackers targeting the appliances on December 10.
"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," according to Cisco’s [2]security advisory . "The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances."
[3]
In a subsequent report, Cisco's threat intel arm Talos blamed the intrusions on UAT-9686, a China-linked threat group, and said the [4]attacks have been ongoing "since at least late November 2025."
[5]
At the time, Cisco had no timeline for a fix and did not tell The Register how many appliances had been compromised.
On Thursday, Cisco notified customers that it had released software updates to address the security issue.
[6]Attacks pummeling Cisco AsyncOS 0-day since late November
[7]Patch Cisco ISE bug now before attackers abuse proof-of-concept exploit
[8]A simple CodeBuild flaw put every AWS environment at risk – and pwned 'the central nervous system of the cloud'
[9]Chinese spies used Maduro's capture as a lure to phish US govt agencies
"These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign," a Cisco spokesperson said in a statement emailed to The Register . "Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers needing support should contact the [10]Cisco Technical Assistance Center ."
We asked (again) how many appliances attackers have infected and did not receive any response. But at least now there's a plug to keep the intruders out. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
[2] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWnF8c7BH6GFd-7mXQZJzQAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://blog.talosintelligence.com/uat-9686/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWnF8c7BH6GFd-7mXQZJzQAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
[7] https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc/
[8] https://www.theregister.com/2026/01/15/codebuild_flaw_aws/
[9] https://www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
[10] https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
[11] https://whitepapers.theregister.com/