Executive Summary

A critical zero-day remote code execution (RCE) vulnerability in Cisco's Secure Email Gateway and Secure Email and Web Manager appliances has been actively exploited by a China-linked advanced persistent threat (APT) group. The vulnerability, tracked as CVE-2024-20353 with a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary commands as root on affected systems. The exploitation campaign leverages the Spam Quarantine feature, which, when exposed to the internet, becomes the attack vector. The threat actor has used this flaw to deploy custom malware, establish persistent access, and evade detection, targeting organizations across multiple sectors. Immediate patching and incident response are strongly advised.

Threat Actor Profile

The campaign has been attributed to a China-nexus APT group, identified in open-source reporting as UAT-9686. This group is known for sophisticated cyber-espionage operations, typically targeting government, critical infrastructure, and large enterprise environments. UAT-9686 demonstrates advanced capabilities in exploiting zero-day vulnerabilities, deploying custom malware, and maintaining long-term persistence within victim networks. Their operations are characterized by stealth, rapid exploitation of newly discovered vulnerabilities, and the use of advanced tunneling and log manipulation tools to evade detection and facilitate lateral movement.

Technical Analysis of Malware/TTPs

The exploited vulnerability, CVE-2024-20353, resides in the Spam Quarantine web interface of Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The flaw is due to insufficient validation of user-supplied HTTP requests, enabling remote attackers to execute arbitrary system commands with root privileges.

The attack chain begins with the adversary sending a specially crafted HTTP request to the exposed Spam Quarantine interface. Upon successful exploitation, the attacker gains root shell access and deploys a suite of custom and open-source tools. Key malware and tools observed include:

AquaShell: A lightweight Python-based backdoor capable of receiving and executing base64-encoded commands, providing the attacker with a flexible command-and-control (C2) channel.

ReverseSSH (AquaTunnel): A tunneling utility that establishes encrypted SSH tunnels from the compromised appliance to attacker-controlled infrastructure, enabling remote access and data exfiltration.

Chisel: A TCP/UDP tunneling tool used for pivoting and lateral movement within the victim’s network.

AquaPurge: A log manipulation and cleaning utility designed to erase traces of malicious activity, thereby hindering forensic investigations.

Persistence is achieved by implanting covert channels and modifying system startup scripts, ensuring the attacker’s access survives reboots and routine maintenance. The threat actor also disables or manipulates logging and monitoring processes to further evade detection.

Exploitation in the Wild

Exploitation of CVE-2024-20353 was first observed in late 2023, with attacks intensifying in early 2024. The adversary specifically targeted internet-exposed appliances with the Spam Quarantine feature enabled. The initial access vector was the vulnerable web interface, after which the attacker rapidly deployed their toolset to establish persistence and begin reconnaissance.

Victims reported unusual outbound network connections originating from the Spam Quarantine interface, often directed to known C2 infrastructure or via SSH tunnels. Forensic analysis revealed the presence of AquaShell, ReverseSSH, and Chisel, as well as evidence of log tampering by AquaPurge. The attackers demonstrated a high level of operational security, frequently rotating C2 endpoints and cleaning up artifacts post-exploitation.

Victimology and Targeting

The campaign has impacted organizations using Cisco Secure Email Gateway and Secure Email and Web Manager appliances, particularly those with the Spam Quarantine feature exposed to the internet. While specific victim sectors are not exhaustively listed in public sources, the widespread deployment of these appliances suggests that enterprises, government agencies, and critical infrastructure operators are at elevated risk. The global footprint of Cisco's email security solutions means that organizations across North America, Europe, and Asia-Pacific are potential targets. The China-linked attribution and the sophistication of the campaign indicate a focus on high-value targets with sensitive data and strategic importance.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this vulnerability. Organizations should upgrade to the fixed versions of Cisco AsyncOS as specified in the official advisories. The patched releases are:

For Cisco Secure Email Gateway: versions 15.0.5-016, 15.5.4-012, and 16.0.4-016.

For Cisco Secure Email and Web Manager: versions 15.0.2-007, 15.5.4-007, and 16.0.4-010.

If patching is not immediately possible, disable the Spam Quarantine feature or restrict access to the management interface to trusted internal networks only. Do not expose the Spam Quarantine interface to the internet under any circumstances.

Conduct a thorough review of system and network logs for signs of compromise, including the presence of AquaShell, ReverseSSH, Chisel, and AquaPurge. Monitor for unusual outbound connections, especially SSH tunnels or traffic to known malicious infrastructure. Apply the latest Snort rules (65617, 65643, 65644, 65645) to detect exploitation attempts and related malicious activity.

If compromise is suspected, engage with Cisco TAC or a trusted incident response provider for forensic analysis and remediation. Remove affected appliances from the network, reimage systems, and rotate credentials as necessary.

References

Cisco Security Advisory: cisco-sa-sma-attack-N9bf4

The Hacker News: Cisco Patches Zero-Day RCE Exploited by China-Linked APT

BleepingComputer: Cisco finally fixes AsyncOS zero-day exploited since November

MITRE ATT&CK Techniques: https://attack.mitre.org/

Cisco Talos Blog: UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, prioritize remediation, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.