Critical Zero-Day Vulnerability in Cisco AsyncOS Exploited to Deploy System-Level Backdoors
In late November 2025, cybersecurity researchers identified an active exploitation of a zero-day vulnerability in Cisco’s AsyncOS Software, specifically targeting Secure Email Gateway (formerly known as Email Security Appliance, ESA) and Secure Email and Web Manager (formerly Content Security Management Appliance, SMA). This sophisticated attack enables adversaries to execute system-level commands and implant a persistent Python-based backdoor, dubbed AquaShell, on compromised devices.
Attack Overview
The campaign, publicly disclosed on December 10, 2025, has been attributed with moderate confidence to UAT-9686, an advanced persistent threat (APT) group with ties to Chinese cyber operations. This attribution is based on observed overlaps in tactics, techniques, procedures (TTPs), tooling, and infrastructure with known groups such as APT41 and UNC5174. Notably, the custom web implant AquaShell mirrors techniques adopted by sophisticated Chinese APTs for stealthy persistence.
Technical Details of the Exploit
The attackers exploit a vulnerability in appliances with non-standard configurations, as detailed in Cisco’s advisory. They embed AquaShell into the file path /data/web/euq_webui/htdocs/index.py using an encoded blob. This lightweight backdoor passively monitors for unauthenticated HTTP POST requests, decodes payloads with a custom algorithm combined with Base64 encoding, and executes shell commands accordingly.
Additional Malicious Tools Deployed
Beyond AquaShell, the attackers have utilized several supplementary tools to maintain access and evade detection:
– AquaTunnel: A GoLang ELF binary derived from the open-source ReverseSSH project, AquaTunnel establishes reverse SSH tunnels, allowing remote access that bypasses firewall restrictions.
– Chisel: An open-source tunneling tool that proxies TCP/UDP traffic over HTTP, facilitating internal network pivoting and further exploitation.
– AquaPurge: A utility designed to cleanse logs by filtering out lines containing specific keywords using the ‘egrep’ command, thereby erasing traces of the attack.
Indicators of Compromise (IOCs)
Organizations should be vigilant for the following IOCs associated with this campaign:
– AquaTunnel SHA256 Hash: 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef
– AquaPurge SHA256 Hash: 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca
– Chisel SHA256 Hash: 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc
– Attacker IP Addresses:
– 172.233.67[.]176
– 172.237.29[.]147
– 38.54.56[.]95
Implications for Organizations
The Secure Email and Web Manager serves as a centralized platform for overseeing ESA and Web Security Appliance (WSA) operations, including quarantine management, policy enforcement, and reporting. Its compromise can lead to significant disruptions in email security infrastructure, potentially exposing sensitive communications and facilitating further network infiltration.
Recommended Actions
Cisco has released an advisory detailing the vulnerability, associated IOCs, and recommended remediation steps. Organizations utilizing affected Cisco appliances are urged to:
1. Review the Advisory: Examine Cisco’s official advisory for comprehensive information on the vulnerability and mitigation strategies.
2. Implement Patches: Apply the necessary software updates provided by Cisco to address the vulnerability.
3. Monitor Systems: Continuously monitor network traffic and system logs for signs of compromise, paying close attention to the IOCs listed above.
4. Restrict Access: Limit access to management interfaces to trusted networks and users to reduce the attack surface.
5. Educate Personnel: Train staff on recognizing phishing attempts and other common attack vectors to prevent initial compromise.
Conclusion
This campaign underscores the increasing focus of APT groups on exploiting vulnerabilities in email security appliances, highlighting the critical need for organizations to maintain up-to-date systems and adhere to robust cybersecurity practices.
