Cisco has released security updates addressing a critical zero-day remote command execution vulnerability affecting its AsyncOS Software for Cisco Secure Email Gateway and Secure Email and Web Manager. The flaw, tracked as CVE-2025-20393 and carrying a CVSS score of 10.0, was exploited in the wild by a China-linked advanced persistent threat actor codenamed UAT-9686. The vulnerability stems from insufficient validation of HTTP requests handled by the Spam Quarantine feature, allowing attackers to execute arbitrary commands with root privileges on vulnerable appliances. Cisco confirmed that exploitation requires three specific conditions: the appliance must be running a vulnerable release of AsyncOS Software, the Spam Quarantine feature must be enabled, and the feature must be exposed to the internet.
Evidence suggests that UAT-9686 began leveraging the flaw in late November 2025 to deploy tunneling tools such as ReverseSSH, also known as AquaTunnel, and Chisel, along with a log cleaning utility called AquaPurge. The threat actor also utilized a lightweight Python backdoor named AquaShell, which receives encoded commands and executes them on compromised systems. Researchers highlighted that these tools allowed attackers to maintain persistence, move laterally within the network, and potentially manipulate email traffic or extract sensitive data. Cisco’s advisory notes that the attack was highly targeted, focusing on appliances accessible from unsecured networks.
The vulnerability has been patched across multiple AsyncOS versions. For Cisco Email Security Gateway, releases 14.2 and earlier are addressed in version 15.0.5-016, version 15.0 in 15.0.5-016, 15.5 in 15.5.4-012, and 16.0 in 16.0.4-016. Secure Email and Web Manager updates include release 15.0 and earlier fixed in 15.0.2-007, 15.5 fixed in 15.5.4-007, and 16.0 in 16.0.4-010. Cisco also removed persistence mechanisms associated with the attacks, preventing any previously deployed malicious components from continuing to operate on updated systems. Customers are urged to apply updates immediately to mitigate risks from ongoing or potential exploitation.
In addition to patching the flaw, Cisco provided hardening guidelines for affected appliances. Recommendations include placing devices behind firewalls, monitoring web log traffic for unexpected activity, disabling HTTP access for the main administrator portal, turning off unnecessary network services, enforcing strong authentication such as SAML or LDAP, and updating default administrator credentials to secure variants. The company emphasized that these steps are critical to prevent further compromise and to secure the appliance against potential attacks targeting exposed Spam Quarantine features. With the disclosure and remediation of CVE-2025-20393, organizations running Cisco Secure Email Gateways are advised to review network exposure and implement these security measures to reduce the risk of similar attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
