Computing

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

News Room
News Room
Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

Jan 16, 2026Ravie LakshmananVulnerability / Web Security

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.

The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

However, for the attack to work, three conditions must be met –

  • The appliance is running a vulnerable release of Cisco AsyncOS Software
  • The appliance is configured with the Spam Quarantine feature
  • The Spam Quarantine feature is exposed to and reachable from the internet

Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge.

Cybersecurity

The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.

The vulnerability has now been addressed in the following versions, in addition to removing the persistence mechanisms that were identified in this attack campaign and installed on the appliances –

Cisco Email Security Gateway

  • Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016)
  • Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016)
  • Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012)
  • Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016)

Secure Email and Web Manager

  • Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
  • Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007)
  • Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010)

Additionally, Cisco is also urging customers to follow hardening guidelines to prevent access from the unsecured networks, secure the appliances behind a firewall, monitor web log traffic for any unexpected traffic to/from appliances, disable HTTP for the main administrator portal, disable any network services that are not required, enforce a strong form of end-user authentication to the appliances (e.g., SAML or LDAP), and change the default administrator password to a more secure variant.

Share This Article
Previous Article After backlash, X restricts Grok from generating sexualized images of real people – News After backlash, X restricts Grok from generating sexualized images of real people – News
Next Article Popular Cheap Android Phone Brand Confirms Your Worst Fears – Price Hikes Are Coming – BGR Popular Cheap Android Phone Brand Confirms Your Worst Fears – Price Hikes Are Coming – BGR
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

a fishing rod and a car with missiles
a fishing rod and a car with missiles
Mobile
NASA wants to install a nuclear power plant on the Moon
NASA wants to install a nuclear power plant on the Moon
Mobile
Oppo to launch first eSIM smartphone tonight, confirms Find X9 series with eSIM version · TechNode
Oppo to launch first eSIM smartphone tonight, confirms Find X9 series with eSIM version · TechNode
Computing
Battery maker Pure Lithium moving to Chicago, investing M
Battery maker Pure Lithium moving to Chicago, investing $46M
News
Lost your password?