Active exploitation of critical Cisco email security zero-day underway

Cisco warns that a China-linked threat actor actively exploits a maximum-severity zero-day vulnerability in Cisco AsyncOS software, allowing attackers to execute commands with root privileges on email security appliances.

What happened

Cisco discovered an intrusion campaign on December 10, 2025, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. A China-nexus advanced persistent threat actor codenamed UAT-9686 exploits the vulnerability to compromise a limited subset of appliances with certain ports exposed to the internet. The networking equipment major has not disclosed how many customers are affected. All releases of Cisco AsyncOS Software are vulnerable. For successful exploitation, appliances must have the Spam Quarantine feature enabled and exposed to the internet. The Spam Quarantine feature is not enabled by default.

The backstory

In September 2025, CISA issued an Emergency Directive after discovering four actively exploited zero-days affecting millions of Cisco devices, including Adaptive Security Appliances and IOS systems. The attacks were connected to the same state-sponsored advanced persistent threat actor behind the "ArcaneDoor" cyberespionage campaign from spring 2024. Those attacks involved nation-state actors exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on Cisco ASAs and manipulating read-only memory to persist through reboots and system upgrades. The threat actors implanted malware including RayInitiator, a persistent multi-stage boot kit, and LINE VIPER, a shellcode loader for data exfiltration. Multiple US federal agencies were compromised as part of that campaign.

Going deeper

The vulnerability, tracked as CVE-2025-20393, carries a CVSS score of 10.0. It concerns improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.

Cisco's investigation revealed that attackers have planted persistence mechanisms to maintain control over compromised appliances. The exploitation dates back to at least late November 2025.

UAT-9686 has deployed multiple tools in these attacks:

• ReverseSSH (also known as AquaTunnel) and Chisel tunneling tools
• AquaPurge, a log cleaning utility
• AquaShell, a lightweight Python backdoor that listens passively for unauthenticated HTTP POST requests containing specially crafted data

The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.

What was said

"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco stated in its advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances."

Regarding remediation, Cisco warned: "In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor's persistence mechanism from the appliance."

Cisco also explained how AquaShell operates: "It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell."

The bottom line

Organizations using Cisco email security appliances must verify whether their Spam Quarantine feature is enabled by checking Network > IP Interfaces in the web management interface. Until Cisco releases a patch, administrators should implement all recommended mitigations including limiting internet access, deploying firewalls, separating mail and management functions, monitoring web logs, disabling HTTP for administrator portals, implementing strong authentication methods like SAML or LDAP, and changing default administrator passwords. 

Read also: Inbound Email Security 

FAQs

How common is it for email security appliances to be targeted in zero-day attacks?

Email gateways are targeted because they sit at the network perimeter and handle untrusted external content, making them attractive high-impact entry points.

Why do attackers prioritize appliance-level vulnerabilities over endpoint exploits?

Compromising network appliances allows attackers to bypass endpoint defenses entirely while gaining persistent, organization-wide access.

Could compromised email appliances be used to launch follow-on attacks inside a network?

Yes, attackers can use them for credential harvesting, internal reconnaissance, traffic interception, and lateral movement.