Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportCVE-2025-20393 is a critical zero-day vulnerability with a maximum CVSS score of 10.0 affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS software. First exploited in late November 2025, this Cisco AsyncOS vulnerability stems from improper input validation in the Spam Quarantine web interface, allowing unauthenticated remote attackers to execute arbitrary commands with root privileges when the interface is exposed to the internet.
The zero-day exploit has been actively leveraged by UAT-9686, a China-linked advanced persistent threat group with tooling overlaps to APT41 and UNC5174. Threat actors deploy sophisticated persistence malware including AquaShell, AquaTunnel, AquaPurge, and Chisel to maintain long-term control of compromised appliances. Cisco discovered the vulnerability on December 10, 2025, during a technical support investigation, and CISA added it to the Known Exploited Vulnerabilities catalog on December 17, 2025. Security patches were released on January 15, 2026, and organizations are strongly urged to upgrade immediately to protect their Cisco email security appliances from this critical threat.
CVE-2025-20393 represents a critical zero-day vulnerability affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running vulnerable versions of Cisco AsyncOS software. The Cisco vulnerability arises from improper input validation (CWE-20) in the Spam Quarantine web interface, enabling unauthenticated remote attackers to execute arbitrary commands with root-level privileges. Exploitation is possible only when the Spam Quarantine feature is enabled and its web interface is exposed to the internet, an unsafe but commonly misconfigured deployment scenario in enterprise environments.
The vulnerability achieved the maximum CVSS score of 10.0 due to its combination of no authentication requirement, network-based attack vector, low attack complexity, and complete compromise of confidentiality, integrity, and availability. This critical Cisco security flaw provides attackers with immediate root access to affected email security appliances, bypassing all authentication mechanisms and security controls when the Spam Quarantine interface is internet-accessible.
The Cisco AsyncOS zero-day has been actively exploited since late November 2025 by UAT-9686, a sophisticated China-linked advanced persistent threat group. Cisco Talos researchers identified the exploitation campaign on December 10, 2025, during investigation of a technical support case. The threat actor demonstrates tooling overlaps with known APT groups including APT41 and UNC5174, indicating a well-resourced and experienced adversary targeting enterprise email infrastructure.
UAT-9686 leverages the vulnerability for initial access to Cisco email security appliances and then deploys a tailored malware toolkit designed for stealth and long-term appliance control. The post-exploitation activity demonstrates sophisticated tradecraft focused on maintaining persistent access while avoiding detection by security monitoring tools and incident response teams.
Following successful exploitation of the Cisco email gateway vulnerability, UAT-9686 deploys multiple custom malware components to establish persistence and command-and-control capabilities. The malware toolkit includes AquaShell, a Python-based web backdoor that provides covert remote access through the compromised web interface; AquaTunnel, a Go-based reverse SSH tunneling tool enabling encrypted communication channels; AquaPurge, a specialized log-clearing utility that destroys forensic evidence; and Chisel, an HTTP tunneling tool facilitating lateral movement and data exfiltration.
These persistence mechanisms are deeply embedded in the AsyncOS operating system and cannot be reliably removed through standard remediation procedures. Cisco has explicitly stated that full appliance rebuilds from clean images are required to eradicate confirmed compromises, as the APT malware modifies core system files and establishes multiple redundant persistence mechanisms that survive typical cleanup attempts.
On January 15, 2026, Cisco released security patches addressing CVE-2025-20393 and updated the security advisory to Version 2.0 (Final). The patches fix the input validation vulnerability in the Spam Quarantine interface and remove known persistence mechanisms deployed by UAT-9686. Organizations running vulnerable versions of Cisco Secure Email Gateway (prior to 15.0.5-016, 15.5.4-012, 16.0.4-016) or Cisco Secure Email and Web Manager (prior to 15.0.2-007, 15.5.4-007, 16.0.4-010) must upgrade immediately to protected software releases.
In addition to patching, organizations must implement network-level mitigations including restricting internet exposure to the Spam Quarantine interface, enforcing strict firewall controls, separating mail processing and management interfaces onto different network segments, and exporting logs to external SIEM or syslog servers. These defense-in-depth measures protect against exploitation attempts and preserve forensic evidence that UAT-9686’s AquaPurge malware attempts to destroy on compromised systems.
Upgrade to the fixed AsyncOS releases for Cisco Secure Email Gateway (versions 15.0.5-016, 15.5.4-012, or 16.0.4-016) and Cisco Secure Email and Web Manager (versions 15.0.2-007, 15.5.4-007, or 16.0.4-010). The patch addresses the vulnerability and removes persistence mechanisms deployed by threat actors.
Immediately remove or block internet access to the Spam Quarantine web interface. Configure firewall rules to allow connections only from trusted internal IP addresses. This is the most critical mitigation as the vulnerability requires the interface to be internet-exposed for remote exploitation.
Deploy Cisco Secure Email Gateway and SEWM appliances behind dedicated filtering firewalls. Separate mail processing and management functions onto different network interfaces. This limits attacker lateral movement and reduces the attack surface if compromise occurs.
Monitor network traffic for connections to known command-and-control infrastructure. Check file integrity of /data/web/euq_webui/htdocs/index.py for unauthorized modifications. Investigate any unusual outbound SSH connections from email appliances.
Configure log export to external SIEM or syslog servers immediately. UAT-9686 deploys AquaPurge to clear local logs and destroy forensic evidence. External log storage ensures attack artifacts are preserved for incident response and investigation.
If exploitation is detected, perform a complete appliance rebuild from clean images. Standard remediation procedures will not remove UAT-9686 persistence mechanisms including AquaShell and AquaTunnel.
Get through updates and upcoming events, and more directly in your inbox