Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it has singled out a “limited subset of appliances” with certain ports open to the internet. It’s currently not known how many customers are affected.
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said in an advisory. “The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.”
The as-yet-unpatched vulnerability is being tracked as CVE-2025-20393, and carries a CVSS score of 10.0. It concerns a case of improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.
All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, the following conditions have to be met for both physical and virtual versions of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances –
- The appliance is configured with the Spam Quarantine feature
- The Spam Quarantine feature is exposed to and reachable from the internet
It’s worth noting that the Spam Quarantine feature is not enabled by default. To check if it’s enabled, users are advised to follow the below steps –
- Connect to the web management interface
- Navigate to Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured] (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured] (for Secure Email and Web Manager)
- If the Spam Quarantine option is checked, the feature is enabled
The exploitation activity observed by Cisco dates back to at least late November 2025, with UAT-9686 weaponizing the vulnerability to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.
Also deployed in the attacks is a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.
“It listens passively for unauthenticated HTTP POST requests containing specially crafted data,” Cisco said. “If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell.”
In the absence of a patch, users are advised to restore their…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
