Cisco Patches Critical Zero-Day RCE Vulnerability Exploited by Chinese APT Group

On January 16, 2026, Cisco released patches for a critical vulnerability (CVE-2025-20393, CVSS 10.0) affecting Cisco AsyncOS Software, used in Secure Email Gateway and Secure Email and Web Manager solutions. This vulnerability, exploited as a zero-day since December 2025 by a China-linked APT group (UAT-9686), allows remote code execution (RCE). No further technical details or impact assessment have been provided.