Cisco has warned users of a maximum severity zero-day vulnerability in Cisco AsyncOS Software. This vulnerability, codenamed UAT-9686, is being actively exploited by a Chinese-aligned Advanced Persistent Threat (APT) attacker in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The network equipment giant said it became aware of the intrusion campaign on December 10, 2025, and identified “a limited number of devices” that had specific ports open to the internet. The number of customers affected is unknown at this time.
“This attack allows an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said in an advisory. “Ongoing investigation has uncovered evidence of persistence mechanisms deployed by threat actors to maintain some level of control over compromised appliances.”
This unpatched vulnerability is tracked as CVE-2025-20393 and has a CVSS score of 10.0. This concerns cases where improper input validation allows a threat actor to execute malicious instructions with elevated privileges on the underlying operating system.
All releases of Cisco AsyncOS software are affected. However, for a successful exploit, both the physical and virtual versions of the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances must meet the following conditions:
The appliance is configured with the spam quarantine feature. The Spam Quarantine feature is exposed to the Internet and can be accessed from the Internet.
Please note that the Spam Quarantine feature is not enabled by default. To check if it is enabled, we recommend following these steps:
Connect to the web administration interface.[ネットワーク]>[IP インターフェイス]>[ネットワーク]Move to. [Select the Interface on which Spam Quarantine is configured] (for Secure Email Gateway) or[管理アプライアンス]>[ネットワーク]>[IP インターフェイス]> [Select the interface on which Spam Quarantine is configured] (For Secure Email and Web Manager)[スパム隔離]This feature is enabled if the option is checked.
The exploit activity observed by Cisco dates back to at least late November 2025, when UAT-9686 weaponized the vulnerability to drop tunneling tools such as ReverseSSH (also known as AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been associated with Chinese hacker groups such as APT41 and UNC5174.
The attack also introduces a lightweight Python backdoor called AquaShell that can receive and execute encoded commands.
“Passively listens for unauthenticated HTTP POST requests containing specially crafted data,” Cisco said. “If such a request is identified, the backdoor uses a custom decoding routine to parse the content and attempts to execute it in the system shell.”
If not patched, we recommend that users restore the appliance to a secure configuration, restrict access from the Internet, secure the device behind a firewall to only allow traffic from trusted hosts, isolate email and administrative functions to separate network interfaces, monitor web log traffic for unexpected traffic, and disable HTTP in the main administrator portal.
We also recommend turning off unnecessary network services, using strong end-user authentication methods such as SAML or LDAP, and changing the default administrator password to a more secure password.
“If a breach is confirmed, rebuilding the appliance is currently the only viable option to eradicate the threat actor’s persistence mechanisms from the appliance,” the company said.
In response to this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) Catalog and required Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by December 24, 2025 to protect their networks.
The disclosure comes after GreyNoise announced it had detected a “coordinated, automated credential-based campaign” targeting enterprise VPN authentication infrastructure, specifically investigating exposed or weakly protected Cisco SSL VPNs and Palo Alto Networks’ GlobalProtect portal.
On December 11, 2025, it is estimated that over 10,000 unique IPs were involved in automated login attempts to GlobalProtect portals located in the United States, Pakistan, and Mexico using common username and password combinations. As of December 12, 2025, we have recorded a similar spike in opportunistic brute force login attempts against Cisco SSL VPN endpoints. This activity originated from 1,273 IP addresses.
“This activity reflects large scale scripted login attempts rather than vulnerability exploitation,” the threat intelligence firm said. “Consistent infrastructure usage and timing indicates a single campaign is being deployed across multiple VPN platforms.”
Source link
