Attacks on Zero-Day Vulnerabilities: Cisco, Sonicwall, and Asus Live Update

On Thursday night, the US IT security authority CISA added three vulnerabilities to its list of “Known Exploited Vulnerabilities.” These are critical security flaws in Cisco's Secure Email Gateway and Secure Email and Web Manager, Sonicwall SMA1000 appliances, and Asus Live Update software. Attackers are exploiting these vulnerabilities, and administrators should install available updates immediately.

CISA warns of the exploited vulnerabilities in its list, abbreviated as “KEV.” The most severe is the security flaw in Cisco's Secure Email Gateway and Web Manager. According to Cisco's security advisory, the company observed an attack campaign on December 10th targeting specific ports of Cisco's AsyncOS software for these appliances. Cisco's analysis places the attackers in a group associated with China. During these attacks, perpetrators could execute arbitrary commands with root privileges on the operating system from the internet, thereby compromising the devices. However, Cisco has not yet disclosed details about the vulnerability itself (CVE-2025-20393, CVSS 10.0, Risk “critical”).

Cisco is not providing software updates but advises IT administrators with vulnerable devices -- those exposing the Web Management Interface or the spam quarantine port to the internet -- to configure their appliances securely. This includes downloading and installing virtual replacement appliances. Administrators can also find indicators of compromise (IOCs) in the analysis. Cisco does not provide temporary countermeasures.

Further Exploited Security Vulnerabilities

Additionally, malicious actors are exploiting a vulnerability in Sonicwall's SMA1000 appliances. This new security flaw allows attackers to escalate their privileges due to insufficient authentication in the SMA1000 Appliance Management Console (AMC) (CVE-2025-40602, CVSS 6.6, Risk “medium”). Sonicwall points out in its security advisory that attackers can combine this vulnerability with a critical deserialization flaw for which updated software has been available since January. The new security vulnerability is fixed by updates to SMA1000 12.4.3-03245 and 12.5.0-02283 and newer versions. Until updates are installed, administrators should severely restrict access to the AMC and, for example, allow SSH access only via VPN or specific admin IPs, or disable the SSL VPN management interface and SSH access from the internet. Sonicwall notes that SSL VPN on Sonicwall firewalls is not affected.

The third security vulnerability being targeted by malicious actors impacts an old Asus software for updating manufacturer software on PCs and notebooks, Asus Live Update. In 2019, state-sponsored cybercriminals were able to infiltrate the Live Update servers and distribute compromised software -- at the time limited to specific targets -- as Asus warned at the time. “The modified builds can cause devices to perform actions they were not intended to perform if certain conditions are met,” Asus writes in the vulnerability description (CVE-2025-59374, CVSS 9.3, Risk “critical”). Only devices that meet these specific conditions and on which the compromised software was installed are impacted. The app is no longer supported as of October 2021, meaning that no current Asus device still receiving support is vulnerable, the company further clarifies.

Details about the attacks and their scope are not provided by CISA and the manufacturers, except for Cisco. Administrators should check their systems and secure them according to manufacturer guidelines.

(dmk)