Chinese Hackers Exploit Cisco's Unpatched Zero-Day Vulnerabilities
TL;DR
Cisco Customers Under Attack via Zero-Day Vulnerability
Cisco customers are facing a new wave of attacks from a Chinese threat group exploiting a critical zero-day vulnerability. This vulnerability affects Cisco's AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The attacks have been ongoing since at least late November. Cisco became aware of the attacks on December 10.
Technical Details of the Vulnerability (CVE-2025-20393)
The vulnerability, identified as CVE-2025-20393, has a CVSS rating of 10. It is an improper input validation vulnerability affecting Cisco AsyncOS software that allows attackers to execute commands with unrestricted privileges. This enables them to implant persistent backdoors on compromised devices. Successful exploitation requires the Spam Quarantine feature to be enabled and publicly exposed. This feature is not enabled by default.
- Cisco Security Advisory
- NIST CVE Details
- Explanation of Spam Quarantine Feature
- Steps to Check Spam Quarantine Configuration
Threat Actor: UAT-9686
Cisco Talos researchers attribute these attacks to a Chinese advanced persistent threat group tracked as UAT-9686. This group's tooling and infrastructure are consistent with other China state-sponsored threat groups like APT41 and UNC5174. The attackers are using tunneling tools such as ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge.
Image courtesy of The Hacker News
- Cisco Talos Blog on UAT-9686
- GitHub IOCs
- APT41 Profile
- UNC5174 Details
AquaShell Backdoor
The attackers deployed a lightweight Python backdoor called AquaShell. This backdoor passively listens for unauthenticated HTTP POST requests containing specially crafted data. Upon identifying such a request, it attempts to parse the contents using a custom decoding routine and executes them in the system shell.
- Cisco Talos Analysis of AquaShell
- Details on HTTP POST Requests
- Python Backdoor Information)
- AquaShell Functionality
Mitigation Steps
As there is currently no patch, Cisco recommends restoring appliances to a secure configuration. Other recommendations include limiting access from the internet, securing devices behind a firewall to allow traffic only from trusted hosts, and separating mail and management functionality onto separate network interfaces. Disabling HTTP for the main administrator portal and monitoring web log traffic for unexpected traffic are also advised. Cisco also suggests turning off any unnecessary network services, using strong end-user authentication methods (like SAML or LDAP), and changing the default administrator password. In case of confirmed compromise, Cisco says rebuilding the appliances is the only way to eradicate the threat actor's persistence mechanism.
To protect against sophisticated threats like UAT-9686, organizations need advanced cybersecurity solutions. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.
- Cisco's Mitigation Guidance
- End-User Authentication Methods
- Zero-Trust Architecture
- Gopher Security
CISA Action
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies must apply the necessary mitigations by December 24, 2025, to secure their networks.
- CISA Adds CVE-2025-20393 to KEV
- CISA Known Exploited Vulnerabilities Catalog
- Federal Civilian Executive Branch Definition
- CISA Emergency Directive
Protect your organization with Gopher Security's AI-powered, post-quantum Zero-Trust cybersecurity architecture. Contact us today to learn more and secure your network against advanced threats.
