Executive Summary

Cisco has issued an urgent security advisory regarding an actively exploited, unpatched zero-day vulnerability (CVE-2025-20393, CVSS 10.0) in Cisco AsyncOS software, which underpins the Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. This vulnerability, rooted in improper input validation (CWE-20), allows remote, unauthenticated attackers to execute arbitrary commands as root on the underlying operating system. The exploitation is being conducted by a sophisticated Chinese-nexus advanced persistent threat (APT) group, tracked as UAT-9686, which has established persistent access and deployed custom malware on compromised appliances. The attack surface is limited to appliances with the Spam Quarantine feature enabled and exposed to the internet—a configuration not enabled by default, but present in many enterprise deployments. The campaign has been ongoing since at least late November 2025, with evidence of widespread targeting across sectors. Immediate action is required to assess exposure, implement mitigations, and prepare for incident response.

Threat Actor Profile

The threat actor exploiting this vulnerability is tracked as UAT-9686, a Chinese-nexus APT group with significant overlaps in tactics, techniques, and infrastructure with other well-known Chinese state-backed groups such as UNC5174 and APT41. UAT-9686 is characterized by its focus on cyber espionage, targeting high-value email infrastructure to gain persistent access to sensitive communications. The group demonstrates advanced operational security, leveraging custom malware, log tampering, and covert channels to maintain stealth and persistence. Their campaigns are typically highly targeted, focusing on organizations of strategic interest to the Chinese state, including government, critical infrastructure, and large enterprises. The group’s use of novel malware and rapid exploitation of zero-day vulnerabilities underscores their technical sophistication and access to significant resources.

Technical Analysis of Malware/TTPs

The exploitation of CVE-2025-20393 leverages improper input validation in the Spam Quarantine web interface of Cisco AsyncOS. When this feature is enabled and accessible from the internet, attackers can send specially crafted requests that result in arbitrary command execution as the root user. This provides full control over the appliance, enabling the deployment of persistent malware and the establishment of covert command and control (C2) channels.

Upon successful exploitation, UAT-9686 deploys a suite of custom and open-source tools:

AquaShell is a bespoke persistence backdoor that provides remote shell access and can survive reboots and software upgrades. It is designed to blend in with legitimate system processes and uses encrypted communications to evade detection.

AquaTunnel is a reverse SSH tunnel implant that allows attackers to pivot into internal networks, bypassing perimeter defenses. It is often used in conjunction with Chisel, an open-source tool for creating fast TCP/UDP tunnels over HTTP, which further obfuscates C2 traffic.

AquaPurge is a log-clearing utility that systematically erases evidence of compromise, including authentication logs, command histories, and system events. This tool is critical to the group’s defense evasion strategy, making forensic analysis and incident response significantly more challenging.

The attackers also modify system configurations to disable security monitoring and ensure their implants are automatically restarted. They use scheduled tasks and systemd services to maintain persistence, and in some cases, deploy additional web shells for backup access.

The MITRE ATT&CK techniques observed in this campaign include Exploit Public-Facing Application (T1190), Command and Scripting Interpreter (T1059), Web Shell (T1505.003), File Deletion (T1070.004), and Protocol Tunneling (T1572).

Exploitation in the Wild

Active exploitation of CVE-2025-20393 was first detected by Cisco Talos in early December 2025, with forensic evidence indicating that attacks began in late November. The campaign is highly targeted, with attackers scanning for internet-exposed Spam Quarantine interfaces on vulnerable SEG and SEWM appliances. Once identified, exploitation is rapid and automated, with initial access often followed by immediate deployment of persistence mechanisms and C2 channels.

Compromised appliances are used as footholds for further lateral movement within victim networks, as well as for exfiltration of sensitive email data. The attackers have demonstrated the ability to maintain access for extended periods, even in the face of standard remediation efforts, due to their use of custom persistence techniques and log tampering.

Cisco has published a comprehensive set of indicators of compromise (IOCs), including file hashes, C2 domains, and IP addresses associated with the deployed malware. Organizations are strongly encouraged to consult the Cisco Talos IOC repository and conduct thorough forensic analysis of potentially affected appliances.

Victimology and Targeting

The primary targets of this campaign are organizations operating Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances with the Spam Quarantine feature enabled and accessible from the internet. While the full scope of victimology is not publicly disclosed, the targeting profile aligns with previous UAT-9686 operations, which have focused on government agencies, critical infrastructure providers, defense contractors, and large multinational enterprises.

Geographically, the campaign appears to have a global reach, with a particular emphasis on organizations of strategic interest to the Chinese state. The attackers are selective, prioritizing high-value targets with the potential to yield sensitive communications and facilitate further espionage activities.

The exploitation methodology suggests a high degree of reconnaissance and pre-attack scanning, with attackers leveraging internet-wide search tools and custom scripts to identify vulnerable appliances. Once a target is identified, exploitation and post-exploitation activities are highly automated, minimizing the window for detection and response.

Mitigation and Countermeasures

Immediate mitigation steps are essential to reduce the risk of compromise and limit the impact of successful exploitation. Organizations should take the following actions:

First, assess all Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances to determine if the Spam Quarantine feature is enabled and accessible from the internet. This can be verified via the management interface: for SEG, navigate to Network > IP Interfaces > [Select Interface] > Spam Quarantine; for SEWM, use Management Appliance > Network > IP Interfaces > [Select Interface] > Spam Quarantine.

If exposure is identified, immediately remove internet access to the Spam Quarantine and management interfaces. Place these interfaces behind firewalls and restrict access to trusted hosts only. Segregate mail and management interfaces to minimize the attack surface.

Disable any unused services, such as HTTP and FTP, and enforce strong authentication mechanisms, including SAML or LDAP integration. Change all default administrative passwords and review user accounts for unauthorized additions.

Conduct a comprehensive review of system logs and configurations, using the published IOCs to scan for evidence of compromise. Given the attackers’ use of log-clearing tools, external log aggregation and retention are strongly recommended to preserve forensic evidence.

If compromise is suspected or confirmed, a full rebuild of the affected appliance is required. The persistence mechanisms employed by UAT-9686 cannot be reliably removed through standard cleaning procedures. Engage with Cisco TAC for forensic support and follow their guidance for secure reinstallation.

Monitor for the release of security patches from Cisco and apply updates to AsyncOS as soon as they become available. Maintain ongoing vigilance for new advisories and threat intelligence related to this campaign.

References

Cisco Security Advisory: cisco-sa-sma-attack-N9bf4, CVE-2025-20393 - NVD, Cisco Talos IOCs, BleepingComputer: Cisco warns of unpatched AsyncOS zero-day exploited in attacks, The Register: Attacks pummeling Cisco AsyncOS 0-day since late November, HelpNetSecurity: Cisco email security appliances rooted and backdoored, Cisco Talos Blog: UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to identify emerging threats, prioritize remediation, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.