好的,我现在需要帮用户总结一篇文章,控制在100字以内,而且不需要用“文章内容总结”这样的开头。首先,我得仔细阅读文章内容,抓住关键点。 文章主要讲的是Cisco修复了一个AsyncOS的高危漏洞,这个漏洞被中国相关的APT组织UAT-9686利用过。漏洞的CVSS评分是10.0,属于最高级别。攻击者可以通过这个漏洞执行root命令,安装持久化机制。Cisco已经修复了这个问题,并且提到了受影响的产品和版本。 接下来,我需要将这些信息浓缩到100字以内。要确保包含主要元素:Cisco修复漏洞、漏洞被中国APT组织利用、漏洞影响的产品、攻击者的能力以及修复情况。 可能的结构是:先点出修复的漏洞及其严重性,然后提到APT组织的利用情况,接着说明攻击者的能力和影响范围,最后提到修复措施。 检查一下是否有遗漏的重要信息,比如AquaShell这样的后门工具是否需要提及?考虑到字数限制,可能不需要详细展开。 最后整合成一句话:Cisco修复了最高危的AsyncOS漏洞CVE-2025-20393,该漏洞被中国关联的APT组织UAT-9686用于零日攻击,在Secure Email产品中允许攻击者执行root命令并安装持久化机制。 </think> Cisco修复了最高危的AsyncOS漏洞CVE-2025-20393(CVSS 10.0),该漏洞被中国关联的APT组织UAT-9686用于零日攻击,在Secure Email产品中允许攻击者执行root命令并安装持久化机制。 2026-1-16 10:17:4 Author: securityaffairs.com(查看原文) 阅读量:1 收藏
China-linked APT UAT-9686 abused now patched maximum severity AsyncOS bug
Cisco fixed a maximum severity AsyncOS flaw in Secure Email products, previously exploited as a zero-day by China-linked APT group UAT-9686.
Cisco fixed a critical AsyncOS flaw, tracked as CVE-2025-20393 (CVSS score of 10.0), affecting Secure Email Gateway and Email and Web Manager, previously exploited as a zero-day by China-linked APT group UAT-9686.
Cisco detected attacks on exposed AsyncOS email appliances that let attackers run root commands and install persistence. The flaw has since been remediated.
“On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.” reads the advisory. “This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.”
The flaw stems from improper HTTP request validation in the Spam Quarantine feature, allowing attackers to send crafted requests and execute root-level commands on affected devices.
“This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.” continues the report. “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.”
Cisco confirmed that threat actors deployed a persistence mechanism that allowed them to maintain control over compromised systems.
The networking giant confirmed attacks targeted Secure Email Gateway and Secure Email and Web Manager appliances running vulnerable AsyncOS with Spam Quarantine enabled and exposed online. The company states that the feature is disabled by default. Cisco Secure Email Cloud and Secure Web products are not affected. The investigation is complete, and no further updates are expected.
Below are the impacted releases:
Cisco Email Security Gateway
| Cisco AsyncOS Software Release | First Fixed Release |
|---|---|
| 14.2 and earlier | 15.0.5-016 |
| 15.0 | 15.0.5-016 |
| 15.5 | 15.5.4-012 |
| 16.0 | 16.0.4-016 |
Secure Email and Web Manager
| Cisco AsyncOS Software Release | First Fixed Release |
|---|---|
| 15.0 and earlier | 15.0.2-007 |
| 15.5 | 15.5.4-007 |
| 16.0 | 16.0.4-010 |
The exploitation of CVE-2025-20393 was discovered by Cisco’s own Talos security experts. The attacks have been aimed at “a limited subset of appliances with certain ports open to the internet”.
“In December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.” concludes the advisory.
The attackers deploy a custom persistence mechanism dubbed “AquaShell,” alongside tools for reverse tunneling and log deletion to maintain stealth and long-term access.
“Cisco Talos is tracking the active targeting of Cisco AsyncOS Software for Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA), enabling attackers to execute system-level commands and deploy a persistent Python-based backdoor, AquaShell.” states Cisco Talos. “Cisco became aware of this activity on December 10, which has been ongoing since at least late November 2025. Additional tools observed include AquaTunnel (reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log-clearing utility).”
Analysis shows that only appliances running non-standard configurations, as outlined in Cisco’s advisory, have been compromised, suggesting misconfigurations play a key role in exposure.
AquaShell is a lightweight Python backdoor embedded in a Cisco AsyncOS web server file that executes encoded shell commands sent via unauthenticated HTTP POST requests. It’s installed by decoding a data blob into a modified index.py. Attackers used AquaPurge to erase traces by removing specific keywords from log files. AquaTunnel, a Go-based ReverseSSH variant, allows attackers to establish persistent reverse SSH access to attacker servers, while Chisel enables HTTP-based tunneling to proxy traffic and pivot from compromised appliances into internal networks.
In December, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day flaw to its Known Exploited Vulnerabilities catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UAT-9686)
如有侵权请联系:admin#unsafe.sh