Cisco has issued an alert regarding a maximum severity zero-day vulnerability in its Cisco AsyncOS software. This flaw has been actively exploited by an advanced persistent threat (APT) actor with ties to China, dubbed UAT-9686, in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
Threat Details
The intrusion campaign was detected on December 10, 2025. Cisco identified that a limited subset of its appliances, with specific ports exposed to the Internet, were targeted. The vulnerability, tracked as CVE-2025-20393, has a CVSS score of 10.0 and allows attackers to execute arbitrary commands with root privileges on the underlying operating system of the affected appliance. Attackers have managed to establish persistence mechanisms to maintain control over compromised systems.
Conditions for Exploitation
For the vulnerability to be exploitable, the following conditions must be met on the physical and virtual versions of the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances: *The appliance must be configured with the Spam Quarantine feature.
- The Spam Quarantine feature must be exposed and accessible from the Internet.
It is important to note that the Spam Quarantine feature is not enabled by default. Users can check if it is active by browsing through the management web interface:
- Secure Email Gateway: Navigate to Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured].
- Secure Email and Web Manager: Navigate to Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured].
If the “Spam Quarantine” option is checked, the feature is enabled.
Tools Used by the Threat Actor
The observed exploitation activity dates back to at least late November 2025. UAT-9686 has used the vulnerability to deploy tunneling tools such as ReverseSSH (also known as AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has previously been associated with Chinese hacking groups such as APT41 and UNC5174.
Additionally, the implementation of a lightweight backdoor in Python called AquaShell has been detected, capable of receiving and executing encoded commands. This backdoor passively listens for unauthenticated HTTP POST requests containing specially crafted data, which is decoded and executed in the system shell.
Mitigations and Recommendations
In the absence of a patch, Cisco recommends the following actions:
- Restore appliances to a safe configuration.
- Limit access from the Internet.
- Secure devices behind a firewall, allowing traffic only from trusted hosts.
- Separate mail and management functionalities into different network interfaces.
- Monitor web log traffic for unexpected activities.
- Disable HTTP for the main administrator portal.
- Disable any network service that is not strictly necessary.
- Use strong user authentication methods, such as SAML or LDAP.
- Change the default administrator password to a more secure variant.
In case of a confirmed compromise, rebuilding the appliances is considered the only viable option to eradicate the threat actor’s persistence mechanisms.
Implications and Additional Context
The U.S. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its catalog of Known and Exploited Vulnerabilities (KEV), requiring agencies of the Federal Civil Executive Branch (FCEB) to apply the necessary mitigations by December 24, 2025.
This announcement is consistent with information from GreyNoise, which has detected a coordinated and automated credential-based campaign targeting enterprise VPN authentication infrastructure, specifically attacking exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. It is estimated that more than 10,000 unique IPs have participated in automated login attempts on GlobalProtect and Cisco SSL VPN portals recently, indicating a large-scale campaign of brute force login attempts, not vulnerability exploitation.
References
- CVE-2025-20393
- CISA KEV Catalog