virus logo Threat Signal Report

Cisco AsyncOS Zero-day

What is the Attack?

Cisco has confirmed the active exploitation of a critical zero-day vulnerability in AsyncOS, tracked as CVE-2025-20393, affecting Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands with root-level privileges, leading to full device compromise. At the time of vendor disclosure on December 17, 2025, Cisco reported that no security patch was available, increasing the risk of widespread exploitation in affected environments.

What is the recommended Mitigation?

Cisco has urged organizations to immediately restrict internet exposure of AsyncOS management and quarantine interfaces, closely monitor for indicators of compromise, and review logs for signs of unauthorized access or tampering.

Organizations suspecting compromise are advised to treat affected appliances as fully breached and perform forensic analysis or rebuild systems as necessary. Continued monitoring is critical until official patches or permanent mitigations are released.

What FortiGuard Coverage is available?

  • FortiGuard Labs is actively monitoring this threat activity and will continue to provide updates as the situation evolves, including new intelligence, indicators, and protection guidance.

  • FortiGuard Web Filtering Service protects against malicious URLs, domains, IPs, and other attacker-controlled infrastructure associated with this campaign, as identified in Cisco’s advisory.

  • FortiAnalyzer, FortiSIEM, and FortiSOAR leverage known Indicators of Compromise (IoCs) delivered through the IoC Service to enhance threat hunting, detection, and automated response against related threat activity. FortiGuard Labs continues to monitor for newly emerging IoCs to ensure proactive protection.

  • Meanwhile, FortiGuard Labs strongly recommends users apply patches as provided by Cisco's Product Security Incident Response Team (PSIRT).

  • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Additional Resources

Cisco Talos Blog


Released Date Dec 18, 2025
Tags Threat Signal Vulnerability Malware
CVE ID
Threat Actor Type Advanced Persistent Threat (APT)

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
About FortiGuard Threat Signal

Learn More »