Cisco on Thursday released a security update for maximum severity security flaws affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This comes nearly a month after the company disclosed that it had been attacked by a zero-day attack by a Chinese-aligned Advanced Persistent Threat (APT) attacker codenamed UAT-9686.
The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw resulting from insufficient validation of HTTP requests by the spam quarantine. Successful exploitation of this flaw could allow an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.
However, three conditions must be met for the attack to work:
The appliance is running a vulnerable release of Cisco AsyncOS software The appliance is configured with the Spam Quarantine feature The Spam Quarantine feature is exposed to the Internet and is accessible from the Internet
Last month, the networking equipment giant revealed that it had discovered evidence of UAT-9686 exploiting vulnerabilities to drop tunneling tools such as ReverseSSH (also known as AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge, as early as late November 2025.
This attack is also characterized by the deployment of a lightweight Python backdoor called AquaShell that can receive and execute encoded commands.
In addition to removing the persistence mechanism identified in this attack campaign and installed on the appliance, this vulnerability was addressed in the following versions:
Cisco Email Security Gateway
Cisco AsyncOS Software Release 14.2 and earlier (fixed in 15.0.5-016) Cisco AsyncOS Software Release 15.0 (fixed in 15.0.5-016) Cisco AsyncOS Software Release 15.5 (fixed in 15.5.4-012) Cisco AsyncOS Software Release 16.0 (fixed in 16.0.4-016)
Secure email and web manager
Cisco AsyncOS Software Release 15.0 and earlier (fixed in 15.0.2-007) Cisco AsyncOS Software Release 15.5 (fixed in 15.5.4-007) Cisco AsyncOS Software Release 16.0 (fixed in 16.0.4-010)
Cisco also helps prevent access from unsecured networks, secures the appliance behind a firewall, monitors web log traffic for unexpected traffic to and from the appliance, disables HTTP on the main administrator portal, disables unnecessary network services, and provides strong forms of end-user authentication to the appliance (such as SAML or LDAP). ) and following hardening guidelines for changing the default administrator password to a more secure password.
Source link
