Cisco finally fixes max-severity bug under active attack for weeks

January 15, 2026 TH Author

Cisco finally delivered a fix for a maximum-severity bug in AsyncOS that has been under attack for at least a month.

The networking giant disclosed the vulnerability, tracked as CVE-2025-20393, on December 17. It affects some Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco first became aware of attackers targeting the appliances on December 10.

“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” according to Cisco’s security advisory. “The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances.”

In a subsequent report, Cisco’s threat intel arm Talos blamed the intrusions on UAT-9686, a China-linked threat group, and said the attacks have been ongoing “since at least late November 2025.”

At the time, Cisco had no timeline for a fix and did not tell The Register how many appliances had been compromised.

On Thursday, Cisco notified customers that it had released software updates to address the security issue.

“These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign,” a Cisco spokesperson said in a statement emailed to The Register. “Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers needing support should contact the Cisco Technical Assistance Center.”

We asked (again) how many appliances attackers have infected and did not receive any response. But at least now there’s a plug to keep the intruders out. ®