Cisco Addresses Critical Zero-Day Vulnerability Exploited by China-Linked APT in Secure Email Gateways
On January 16, 2026, Cisco released critical security updates to address a severe vulnerability in its AsyncOS Software, which powers Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This vulnerability, identified as CVE-2025-20393 with a maximum CVSS score of 10.0, had been actively exploited by a China-based advanced persistent threat (APT) group known as UAT-9686.
Understanding CVE-2025-20393
CVE-2025-20393 is a remote command execution flaw stemming from inadequate validation of HTTP requests within the Spam Quarantine feature of the affected software. If exploited, this vulnerability allows attackers to execute arbitrary commands with root privileges on the underlying operating system of the compromised appliance.
Conditions for Exploitation
For an attacker to successfully exploit this vulnerability, the following conditions must be met:
1. The appliance must be running a vulnerable version of Cisco AsyncOS Software.
2. The Spam Quarantine feature must be enabled.
3. The Spam Quarantine feature must be accessible from the internet.
Details of the Attack Campaign
Cisco’s investigation revealed that UAT-9686 began exploiting this vulnerability as early as late November 2025. The attackers deployed various tools, including:
– ReverseSSH (AquaTunnel): A tunneling tool used to establish reverse SSH connections, allowing attackers to bypass network restrictions.
– Chisel: Another tunneling tool that creates secure tunnels over HTTP, facilitating unauthorized access.
– AquaPurge: A log-cleaning utility designed to erase traces of the attack, complicating detection and forensic analysis.
Additionally, the attackers deployed a lightweight Python-based backdoor named AquaShell. This backdoor is capable of receiving encoded commands and executing them on the compromised system, providing persistent access and control.
Cisco’s Response and Remediation
In response to these findings, Cisco has released patches to address the vulnerability in the following software versions:
– Cisco Email Security Gateway:
– AsyncOS Software Release 14.2 and earlier: Fixed in 15.0.5-016
– AsyncOS Software Release 15.0: Fixed in 15.0.5-016
– AsyncOS Software Release 15.5: Fixed in 15.5.4-012
– AsyncOS Software Release 16.0: Fixed in 16.0.4-016
– Secure Email and Web Manager:
– AsyncOS Software Release 15.0 and earlier: Fixed in 15.0.2-007
– AsyncOS Software Release 15.5: Fixed in 15.5.4-007
– AsyncOS Software Release 16.0: Fixed in 16.0.4-010
These updates not only patch the vulnerability but also remove any persistence mechanisms installed by the attackers during the campaign.
Recommended Security Measures
Cisco strongly advises customers to implement the following security measures to mitigate potential risks:
1. Restrict Access: Ensure that the Spam Quarantine feature is not exposed to untrusted networks.
2. Firewall Protection: Position appliances behind a firewall to control and monitor incoming and outgoing traffic.
3. Monitor Web Logs: Regularly review web logs for any unusual or unexpected traffic patterns to detect potential intrusions.
4. Disable Unnecessary Services: Turn off any network services that are not essential to reduce the attack surface.
5. Enforce Strong Authentication: Implement robust authentication methods, such as SAML or LDAP, to secure access to the appliances.
6. Update Administrator Credentials: Change default administrator passwords to strong, unique passwords to prevent unauthorized access.
Broader Implications and Context
This incident underscores the persistent threat posed by state-sponsored cyber actors targeting critical infrastructure. The exploitation of zero-day vulnerabilities by groups like UAT-9686 highlights the importance of proactive security measures and timely patch management.
Organizations are encouraged to stay vigilant, regularly update their systems, and adhere to best security practices to defend against such sophisticated threats.
