Full Report
Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. The vulnerability, tracked as CVE-2025-20393 (CVSS
Analysis Summary
# Threat Actor: UAT-9686
## Attribution & Identity
* **Identification:** Advanced Persistent Threat (APT) actor.
* **Attribution:** China-nexus.
* **Known Aliases and Associated Groups:** UAT-9686.
## Activity Summary
* **Recent Campaigns:** Exploitation of a zero-day vulnerability (CVE-2025-20393) in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager products.
* **Timeline:** Observed exploiting the vulnerability as early as late November 2025, with Cisco releasing patches nearly a month later (January 2026).
* **Objective (Inferred):** Establishing persistence and maintaining access within target environments, demonstrated by the deployment of various tools post-exploitation.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Exploitation of **CVE-2025-20393** (CVSS 10.0), a Remote Command Execution (RCE) flaw in the Spam Quarantine feature of Cisco AsyncOS, achieved via insufficient HTTP request validation.
* **Persistence & Command and Control (C2):**
* Dropping tunneling tools: **ReverseSSH (aka AquaTunnel)** and **Chisel**.
* Deployment of a lightweight Python backdoor named **AquaShell** capable of receiving and executing encoded commands.
* **Defense Evasion/Cleanup:** Use of a log cleaning utility named **AquaPurge**.
* **Privilege Escalation:** Successful exploitation allowed the actor to execute arbitrary commands with **root privileges** on the underlying operating system.
## Targeting
* **Vulnerability Context:** Targeting systems running vulnerable versions of Cisco AsyncOS Software, specifically those configured with the Spam Quarantine feature exposed to the internet.
* **Sectors:** Not explicitly detailed in the provided context, but the use of Secure Email Gateways suggests targeting organizations sensitive about email communications.
* **Geography:** Implicitly targeting organizations where Cisco Secure Email products are deployed, linked to China nexus.
* **Victims:** Specific victims were not detailed in the summary context.
## Tools & Infrastructure
* **Malware Families Used:**
* ReverseSSH (aka AquaTunnel)
* Chisel
* AquaShell (lightweight Python backdoor)
* AquaPurge (log cleaning utility)
* **Infrastructure:** No specific C2 domains or IPs were detailed in the provided excerpt.
## Implications
* The exploitation of a maximum-severity RCE zero-day (CVE-2025-20393) highlights the threat actor's high capability to rapidly weaponize vulnerabilities affecting widely deployed network infrastructure devices. Allowing root-level command execution provides complete control over the affected appliance.
## Mitigations
* **Immediate Action (Patching):** Apply associated security updates for affected Cisco Secure Email Gateway and Web Manager versions.
* **Configuration Hardening (Pre-Patch/General):**
* Secure appliances behind a firewall.
* Monitor web log traffic for unexpected traffic to/from appliances.
* Disable HTTP for the main administrator portal.
* Disable any network services that are not required.
* Enforce strong end-user authentication (e.g., SAML or LDAP).
* Change the default administrator password.
* **Post-Compromise:** Investigate and remove persistence mechanisms installed during the attack campaign (ReverseSSH, Chisel, AquaShell, AquaPurge).