Ethical Hacking News
Cisco Systems has released security updates to address a critical zero-day vulnerability in its Secure Email Gateways that was exploited by a China-linked APT actor. The vulnerability allows attackers to execute arbitrary commands with root privileges, making it crucial for organizations to patch these vulnerabilities and implement robust security measures.
Cisco Systems has released security updates to address a critical zero-day vulnerability in its AsyncOS Software. The vulnerability, CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw that allows attackers to execute arbitrary commands with root privileges. Successful exploitation of this defect poses significant risks to email gateway systems and requires three specific conditions to be met. The attacks are attributed to a China-linked advanced persistent threat (APT) actor known as UAT-9686. Cisco has released security updates that patch the vulnerability in specified versions of its AsyncOS Software and Secure Email and Web Manager systems. Organizations must take immediate action to patch these vulnerabilities and implement robust security measures such as multi-factor authentication, intrusion detection systems, and regular security audits.
Cisco Systems, Inc. has recently released security updates to address a critical zero-day vulnerability in its AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw that arises due to insufficient validation of HTTP requests by the Spam Quarantine feature.
Successful exploitation of this defect would allow an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance, thus posing significant risks to the security and integrity of the email gateway systems. The attack vectors are quite complex, as they rely on three specific conditions being met: the appliance must be running a vulnerable release of Cisco AsyncOS Software; the Spam Quarantine feature must be enabled and exposed to and reachable from the internet; and finally, an attacker must successfully exploit this vulnerability.
The attacks in question are attributed to a China-linked advanced persistent threat (APT) actor known as UAT-9686. In November 2025, Cisco revealed that it had discovered evidence of this APT group exploiting the vulnerability, as well as deploying tunneling tools such as ReverseSSH and Chisel, as well as a log cleaning utility called AquaPurge.
Furthermore, the attacks also involve the deployment of a lightweight Python backdoor dubbed AquaShell. This tool is capable of receiving encoded commands and executing them, thus serving as a potential entry point for further malicious activity. The tactics, techniques, and procedures (TTPs) employed by this APT group highlight the sophisticated nature of modern cyber threats.
In an effort to address these concerns, Cisco has released security updates that patch the vulnerability in the specified versions of its AsyncOS Software and Secure Email and Web Manager systems. Specifically, the following fixes have been applied:
- Cisco Email Security Gateway: Versions 14.2 and earlier (Fixed in 15.0.5-016), as well as releases 15.0 and 16.0.
- Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007) for Secure Email and Web Manager.
Additionally, Cisco is providing guidance to its customers on how they can prevent access from unsecured networks and secure their appliances behind firewalls, monitor web log traffic for unexpected activity, disable unnecessary network services, enforce strong forms of authentication, and change the default administrator password to a more secure variant.
In light of this vulnerability, organizations that utilize Cisco Secure Email Gateways should take immediate action to patch these vulnerabilities in order to protect themselves against the potential risks posed by UAT-9686. Furthermore, companies must implement robust security measures such as multi-factor authentication, intrusion detection systems, and regular security audits to ensure their email gateway systems remain secure.
It is also worth noting that Cisco's proactive approach to addressing this vulnerability demonstrates its commitment to maintaining the highest standards of cybersecurity for its customers. By staying vigilant and proactive in the face of emerging threats, companies can minimize their risk exposure and safeguard their sensitive information against the ever-evolving landscape of cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Patches-Critical-Zero-Day-Vulnerability-in-Secure-Email-Gateways-Exploited-by-China-Linked-APT-ehn.shtml
https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html
https://www.securityweek.com/china-linked-hackers-exploiting-zero-day-in-cisco-security-gear/
https://blog.netmanageit.com/cisco-patches-zero-day-rce-exploited-by-china-linked-apt-in-secure-email-gateways/
https://blog.talosintelligence.com/uat-9686/
Published: Fri Jan 16 00:33:29 2026 by llama3.2 3B Q4_K_M
