Cisco Addresses Critical Zero-Day Exploit in Secure Email Gateways Targeted by China-Linked APT
On January 16, 2026, Cisco released security updates to address a critical vulnerability in its AsyncOS Software, which powers Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This flaw, identified as CVE-2025-20393 with a maximum CVSS score of 10.0, had been actively exploited by a China-based advanced persistent threat (APT) group known as UAT-9686.
Understanding the Vulnerability
The CVE-2025-20393 vulnerability stems from inadequate validation of HTTP requests within the Spam Quarantine feature of the affected software. If exploited, it allows attackers to execute arbitrary commands with root privileges on the underlying operating system of the compromised appliance. For an attack to be successful, the following conditions must be met:
1. The appliance runs a vulnerable version of Cisco AsyncOS Software.
2. The Spam Quarantine feature is enabled.
3. The Spam Quarantine feature is accessible from the internet.
Exploitation by UAT-9686
Cisco’s investigation revealed that UAT-9686 began exploiting this vulnerability in late November 2025. The attackers deployed various tools, including:
– ReverseSSH (AquaTunnel): A tunneling tool facilitating remote access.
– Chisel: Another tunneling tool used for creating secure connections.
– AquaPurge: A utility designed to clean logs, thereby erasing traces of malicious activities.
Additionally, the attackers installed a lightweight Python-based backdoor named AquaShell, capable of receiving and executing encoded commands, further compromising the security of the affected systems.
Security Updates and Mitigation Measures
In response to these threats, Cisco has released patches for the following versions:
Cisco Email Security Gateway:
– AsyncOS Software Release 14.2 and earlier: Fixed in 15.0.5-016
– AsyncOS Software Release 15.0: Fixed in 15.0.5-016
– AsyncOS Software Release 15.5: Fixed in 15.5.4-012
– AsyncOS Software Release 16.0: Fixed in 16.0.4-016
Secure Email and Web Manager:
– AsyncOS Software Release 15.0 and earlier: Fixed in 15.0.2-007
– AsyncOS Software Release 15.5: Fixed in 15.5.4-007
– AsyncOS Software Release 16.0: Fixed in 16.0.4-010
Beyond applying these patches, Cisco recommends several hardening measures to enhance security:
– Restrict Network Access: Limit exposure of the Spam Quarantine feature to trusted networks only.
– Implement Firewalls: Position appliances behind firewalls to control and monitor incoming and outgoing traffic.
– Monitor Web Logs: Regularly review web logs for any unusual activity that could indicate a breach.
– Disable Unnecessary Services: Turn off any network services that are not essential to reduce potential attack vectors.
– Strengthen Authentication: Enforce robust authentication methods, such as SAML or LDAP, for accessing the appliances.
– Update Administrator Credentials: Change default administrator passwords to complex, unique ones to prevent unauthorized access.
Broader Implications and Historical Context
This incident underscores the persistent threat posed by state-sponsored cyber actors targeting critical infrastructure. The exploitation of zero-day vulnerabilities by groups like UAT-9686 highlights the need for continuous vigilance and proactive security measures.
Historically, Cisco products have been targeted by various APT groups. For instance, in September 2025, the UK National Cyber Security Centre reported that threat actors exploited vulnerabilities in Cisco ASA firewalls to deploy malware families like RayInitiator and LINE VIPER. These attacks involved sophisticated evasion techniques, including disabling logging and intercepting command-line interface commands.
Similarly, in July 2024, a China-nexus cyber espionage group named Velvet Ant exploited a zero-day flaw in Cisco NX-OS Software to deliver custom malware. This vulnerability allowed authenticated attackers to execute arbitrary commands as root on affected devices.
These incidents highlight a pattern of adversaries targeting Cisco’s network devices to gain unauthorized access and maintain persistence within organizational networks.
Conclusion
The recent exploitation of CVE-2025-20393 by UAT-9686 serves as a stark reminder of the evolving cyber threat landscape. Organizations must prioritize timely patching, implement robust security configurations, and remain vigilant against sophisticated adversaries. By adopting a proactive security posture and adhering to best practices, organizations can mitigate risks and protect their critical assets from potential breaches.
