A maximum-severity zero-day vulnerability in Cisco's AsyncOS software has been made known to users. A China-nexus advanced persistent threat (APT) actor known as UAT-9686 has been actively using the vulnerability. The unpatched vulnerability has a CVSS score of

10.0 and is being tracked as CVE-2025-20393.

Threat actors are able to execute malicious instructions with elevated privileges on the underlying operating system due to an instance of improper input validation. The vulnerability, which is thought to be in Cisco's Asyncos software for the Secure Email Gateway and Secure Email and Web Manager appliances, has prompted the U.S. Department of Homeland Security to warn American citizens about it.

It is recommended that users return their appliances to a secure configuration and restrict internet access. GreyNoise announced that it had discovered a "coordinated, automated credential-based campaign" at the time of the disclosure. It is estimated that over 10,000 distinct IP addresses have attempted automated logins to GlobalProtect portals in the United States, Pakistan, and Mexico.

As of December 12, 2025, there has been a comparable increase in opportunistic brute-force login attempts against Cisco SSL VPN endpoints. 1,273 IP addresses were the source of the activity. Censys says it has observed 220 internet-exposed Cisco Secure Email Gateway instances in the wild, although not all of them are said to be vulnerable.

The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply the necessary mitigations by December 24, 2025, in order to protect their networks. "The activity reflects large-scale scripted login attempts, not vulnerability exploitation," the threat intelligence firm stated.