The Root of the Matter: Cisco Patches 10.0 Severity Flaw Exploited by China-Linked APT

Cisco has successfully remediated a vulnerability of maximum criticality within AsyncOS, a flaw that has been subjected to active exploitation for at least a month.

The corporation initially disclosed information regarding CVE-2025-20393 on December 17, noting that it afflicts specific Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco was first apprised of the ongoing adversarial activity targeting these devices on December 10.

According to the company’s security bulletin, the exploit facilitates the execution of arbitrary commands with root privileges on the underlying operating system of the vulnerable hardware. Investigations have further unearthed a persistence mechanism orchestrated by the perpetrators to maintain clandestine control over the compromised systems.

Cisco Talos, the organization’s threat intelligence division, has attributed these incursions to the UAT-9686 group, a collective purportedly linked to Chinese interests. Researchers indicate that these offensives have persisted since at least late November 2025. At the time of the initial disclosure, Cisco refrained from providing a definitive timeline for the remediation or specifying the exact number of compromised units.

On Thursday, the firm notified its clientele of the availability of critical security updates. These patches are engineered to not only seal the breach but also to expunge any persistence mechanisms established during the prior attacks. Cisco urgently exhorts affected patrons to migrate their software to the rectified versions. Those requiring further assistance are encouraged to engage with the Cisco Technical Assistance Center (TAC). While the company maintains discretion regarding the volume of infected devices, administrators now possess the requisite tools to fortify their infrastructure against this vulnerability.