Cisco has issued emergency security updates for a previously exploited zero-day vulnerability affecting its enterprise email security infrastructure, after confirming real-world attacks linked to a China-associated threat actor identified as UAT-9686.
What Was Fixed
The flaw, assigned CVE-2025-20393, allows unauthenticated remote command execution and has been given a CVSS severity score of 10.0. The issue exists within the Spam Quarantine component of Cisco’s AsyncOS Software, where improper HTTP request handling can be abused to gain full system control.
Successful exploitation enables attackers to run commands with root-level privileges, effectively taking over the affected appliance.
When Exploitation Is Possible
Cisco stated that exploitation requires a specific setup. Systems are at risk only if:
- A vulnerable AsyncOS version is in use
- The Spam Quarantine feature is enabled
- The feature is publicly reachable over the internet
Systems meeting all three criteria were actively targeted in late 2025.
Observed Threat Actor Activity
According to Cisco’s investigation, UAT-9686 began abusing the vulnerability in November 2025. Compromised devices were used to deploy multiple offensive tools, including:
- Network tunneling utilities such as ReverseSSH (AquaTunnel) and Chisel
- AquaPurge, designed to erase system and access logs
- AquaShell, a compact Python backdoor capable of decoding and executing attacker-supplied commands
These tools allowed attackers to maintain stealthy and persistent access to infected systems.
Patched Versions Now Available
Cisco has released updated AsyncOS builds that both close the security hole and remove attacker-installed persistence mechanisms.
Secure Email Gateway
- Versions 14.2 and earlier → Patched in 15.0.5-016
- Version 15.0 → Patched in 15.0.5-016
- Version 15.5 → Patched in 15.5.4-012
- Version 16.0 → Patched in 16.0.4-016
Secure Email and Web Manager
- Versions 15.0 and earlier → Patched in 15.0.2-007
- Version 15.5 → Patched in 15.5.4-007
- Version 16.0 → Patched in 16.0.4-010
Additional Defensive Recommendations
Beyond applying patches, Cisco recommends tightening security controls by:
- Isolating appliances behind firewalls
- Blocking exposure to untrusted networks
- Auditing web access logs for abnormal behavior
- Disabling HTTP access on admin portals
- Turning off unnecessary services
- Enforcing centralized authentication (SAML or LDAP)
- Replacing default administrator passwords with strong credentials
Security Takeaway
This incident reinforces a growing trend: security appliances themselves are increasingly targeted by advanced threat actors. Organizations running Cisco email security products should treat this update as high priority, patch immediately, and perform compromise assessments where exposure existed.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
