In an alarming development, Cisco has recently issued security updates addressing a high-severity vulnerability that has been exploited by a China-linked advanced persistent threat (APT) group known as UAT-9686. This issue specifically affects the Cisco AsyncOS Software utilized in Cisco Secure Email Gateways and Cisco Secure Email and Web Manager. Remarkably, it comes nearly a month after the company first revealed that this flaw was being actively exploited as a zero-day vulnerability.
The vulnerability, identified as CVE-2025-20393, carries a perfect CVSS score of 10.0, indicating its critical nature. It allows for remote command execution due to inadequate validation of HTTP requests within the Spam Quarantine feature. If successfully exploited, an attacker could gain the ability to execute arbitrary commands with root privileges on the operating system of the affected appliance.
To exploit this vulnerability, three specific conditions must be satisfied:
1. The appliance must be running a vulnerable version of Cisco AsyncOS Software.
2. The Spam Quarantine feature must be enabled on the appliance.
3. This feature must be accessible from the internet.
Last month, Cisco disclosed findings that UAT-9686 had been exploiting this vulnerability since late November 2025, using it as a conduit to deploy tunneling tools such as ReverseSSH (also known as AquaTunnel) and Chisel, along with a log-cleaning utility named AquaPurge.
Additionally, the attackers are utilizing a lightweight Python backdoor referred to as AquaShell, which is capable of receiving encoded commands and executing them covertly.
Cisco has now addressed this critical vulnerability in various software versions, alongside removing persistence mechanisms that were discovered during this attack:
- For Cisco Email Security Gateway:
* Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016)
* Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016)
* Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012)
* Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016)
- For Secure Email and Web Manager:
- Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
- Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007)
- Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010)
- Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
In light of this serious issue, Cisco is recommending that customers take proactive measures to harden their systems against potential attacks. These guidelines include: restricting access from unsecured networks, ensuring appliances are secured behind a firewall, monitoring web log traffic for any irregular activities involving these appliances, disabling HTTP access to the main administrator portal, turning off unnecessary network services, enforcing robust end-user authentication methods such as SAML or LDAP, and changing default administrator passwords to stronger alternatives.
Did you find this information insightful? For more exclusive updates and expert insights, follow us on Google News, Twitter, and LinkedIn!
