(TLP:CLEAR) Cisco Zero-Day Actively Exploited in Cisco Secure Email Gateway and Secure Email and Web Manager, China-Nexus Actors Suspected

ACTION MAY BE REQUIRED for utilities running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Utilities that outsource technology support may need to consult with their service providers for assistance with remediation actions. For mitigation guidance, access Cisco.

Summary: Last week, Cisco issued an alert of an attack campaign targeting a limited subset of its appliances with certain ports open to the internet, and which are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Cisco has indicated that it has moderate confidence that the adversary, being tracked as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups. The vulnerability is being tracked as CVE-2025-20393 and has a CVSS score of 10.0 (CVSS v3.1).

Analyst Note: WaterISAC strongly encourages members to follow the guidance outlined in Cisco’s security advisory and review it regularly. While Cisco has mentioned there are no workarounds at this time, they do include recommendations to help customers harden their appliances, as well as a multi-step process to restore appliances to a secure configuration. Cisco will continue to update its guidance while the investigation remains ongoing.

China-Nexus threat actors have shown increased interest in U.S. critical infrastructure, as well as the capability to remain undetected in target systems for extended periods of time. Knowing this, if your utility uses the Cisco AsyncOS software with the open ports mentioned, then you are easily identifiable by these threat actors over the internet, and the likelihood of attack significantly rises. Additional guidance, including IOCs and more in-depth analysis for this vulnerability, can be found on the Cisco Talos blog.

Original Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Additional Reading:

• Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Mitigation Recommendations:

• Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager
• UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

Related WaterISAC PIRs: 6, 7, 8, 10,12