Cisco patches 10.0 bug in leading AsyncOS email products

Cisco on Jan. 15 finally patched a maximum-severity flaw in Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email about a month after the vendor disclosed that the bug was exploited by the China-linked threat group known as UAT-9686.

The bug — CVE-20225-20393 — was placed on the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 17.

In this case, the 10.0 Cisco flaw allows for remote command execution with root privileges, which significantly raises the potential impact for any exposed system.

While security experts said this a “patch now” situation, they pointed out that it often takes a bit of time before vendors can release a formal patch after a flaw has been actively exploited.

“It’s not uncommon for there to be a gap between disclosure and the availability of a patch for complex infrastructure products,” said Shane Barney, chief information security officer at Keeper Security. “Vendors often need time to fully understand exploit conditions, test fixes across supported versions and ensure updates don’t introduce operational risk. From a defender’s standpoint, though, that window is the most dangerous period — particularly once exploitation is already known.”

Related reading:

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that when a max-severity vulnerability is actively exploited and remains unpatched for a month, organizations should assume high likelihood of compromise as threat actors have ample time to weaponize, automate, and scale exploitation.

Ursry said situations like this one highlight that once exploitation is public, defenders are not just racing researchers and emerging PoCs, but also adversaries working to weaponize the vulnerability. Delaying patching shifts risk from hypothetical to probable.

“Once active exploitation begins, patching becomes more than a routine maintenance task, it becomes a risk reduction necessity,” said Ursry. “When immediate patching is not available or possible, defenders should implement heightened monitoring and compensating controls. However, these should be treated as stopgaps, not substitutes for the patch.”