Cisco has alerted users to a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it has singled out a "limited subset of appliances" with certain ports open to the internet. It's currently not known how many customers are affected.
"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco said in an advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances."
The as-yet-unpatched vulnerability is being tracked as CVE-2025-20393, and carries a CVSS score of 10.0. It concerns a case of improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.
All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, the following conditions have to be met for both physical and virtual versions of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances -
- The appliance is configured with the Spam Quarantine feature
- The Spam Quarantine feature is exposed to and reachable from the internet
It's worth noting that the Spam Quarantine feature is not enabled by default. To check if it's enabled, users are advised to follow the below steps -
- Connect to the web management interface
- Navigate to Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured] (for Secure Email Gateway) or Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured] (for Secure Email and Web Manager)
- If the Spam Quarantine option is checked, the feature is enabled
The exploitation activity observed by Cisco dates back to at least late November 2025, with UAT-9686 weaponizing the vulnerability to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.
Also deployed in the attacks is a lightweight Python backdoor dubbed AquaShell that's capable of receiving encoded commands and executing them.
"It listens passively for unauthenticated HTTP POST requests containing specially crafted data," Cisco said. "If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell."
In the absence of a patch, users are advised to restore their appliances to a secure configuration, limit access from the internet, secure the devices behind a firewall to allow traffic only from trusted hosts, separate mail and management functionality onto separate network interfaces, monitor web log traffic for any unexpected traffic, and disable HTTP for the main administrator portal.
It's also recommended to turn off any network services that are not required, use strong end-user authentication methods like SAML or LDAP, and change the default administrator password to a more secure variant.
"In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor's persistence mechanism from the appliance," the company said.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by December 24, 2025, to secure their networks.
The disclosure comes as GreyNoise said it has detected a "coordinated, automated credential-based campaign" aimed at enterprise VPN authentication infrastructure, specifically probing exposed or weakly protected Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.
More than 10,000 unique IPs are estimated to have engaged in automated login attempts to GlobalProtect portals located in the U.S., Pakistan, and Mexico using common username and password combinations on December 11, 2025. A similar spike in opportunistic brute-force login attempts has been recorded against Cisco SSL VPN endpoints as of December 12, 2025. The activity originated from 1,273 IP addresses.
"The activity reflects large-scale scripted login attempts, not vulnerability exploitation," the threat intelligence firm said. "Consistent infrastructure usage and timing indicate a single campaign pivoting across multiple VPN platforms."
