China-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager

Cisco disclosed a critical zero-day (CVE-2025-20393) in Secure Email Gateway and Secure Email and Web Manager, actively exploited by a China-linked group.

Cisco disclosed a critical zero-day, tracked as CVE-2025-20393, in Secure Email Gateway and Secure Email/Web Manager, which is actively exploited by a China-linked threat group.

Cisco reported a December 10 campaign targeting certain Secure Email Gateway appliances with exposed ports, enabling attackers to run root-level commands and plant persistence mechanisms. Threat actors exploited a Remote Command Execution Vulnerability, tracked as CVE-2025-20393, in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

“On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.” reads the advisory. “This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.”

The exploitation of CVE-2025-20393 was discovered by Cisco’s own Talos security experts. The attacks have been aimed at “a limited subset of appliances with certain ports open to the internet”. 

Cisco Talos researchers uncovered a campaign targeting Cisco AsyncOS on Secure Email Gateway (ESA) and Secure Email and Web Manager (SMA) appliances. The experts linked, with moderate confidence, the activity to a China-linked APT tracked as UAT-9686, based on tooling and infrastructure overlaps with other China-nexus APTs. The attackers deploy a custom persistence mechanism dubbed “AquaShell,” alongside tools for reverse tunneling and log deletion to maintain stealth and long-term access.

“Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell.” states Cisco Talos. “Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility).”

Analysis shows that only appliances running non-standard configurations, as outlined in Cisco’s advisory, have been compromised, suggesting misconfigurations play a key role in exposure.

AquaShell is a lightweight Python backdoor embedded in a Cisco AsyncOS web server file that executes encoded shell commands sent via unauthenticated HTTP POST requests. It’s installed by decoding a data blob into a modified index.py. Attackers used AquaPurge to erase traces by removing specific keywords from log files. AquaTunnel, a Go-based ReverseSSH variant, allows attackers to establish persistent reverse SSH access to attacker servers, while Chisel enables HTTP-based tunneling to proxy traffic and pivot from compromised appliances into internal networks.

Cisco shared indicators of compromise (IoCs) for this campaign.

This week, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day Cisco to its Known Exploited Vulnerabilities catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)