Cisco warns that a China-linked threat actor actively exploits a maximum-severity zero-day vulnerability in Cisco AsyncOS software, allowing attackers to execute commands with root privileges on email security appliances.
Cisco discovered an intrusion campaign on December 10, 2025, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. A China-nexus advanced persistent threat actor codenamed UAT-9686 exploits the vulnerability to compromise a limited subset of appliances with certain ports exposed to the internet. The networking equipment major has not disclosed how many customers are affected. All releases of Cisco AsyncOS Software are vulnerable. For successful exploitation, appliances must have the Spam Quarantine feature enabled and exposed to the internet. The Spam Quarantine feature is not enabled by default.
In September 2025, CISA issued an Emergency Directive after discovering four actively exploited zero-days affecting millions of Cisco devices, including Adaptive Security Appliances and IOS systems. The attacks were connected to the same state-sponsored advanced persistent threat actor behind the "ArcaneDoor" cyberespionage campaign from spring 2024. Those attacks involved nation-state actors exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on Cisco ASAs and manipulating read-only memory to persist through reboots and system upgrades. The threat actors implanted malware including RayInitiator, a persistent multi-stage boot kit, and LINE VIPER, a shellcode loader for data exfiltration. Multiple US federal agencies were compromised as part of that campaign.
The vulnerability, tracked as CVE-2025-20393, carries a CVSS score of 10.0. It concerns improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.
Cisco's investigation revealed that attackers have planted persistence mechanisms to maintain control over compromised appliances. The exploitation dates back to at least late November 2025.
UAT-9686 has deployed multiple tools in these attacks:
The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.
"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco stated in its advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances."
Regarding remediation, Cisco warned: "In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor's persistence mechanism from the appliance."
Cisco also explained how AquaShell operates: "It listens passively for unauthenticated HTTP POST requests containing specially crafted data. If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell."
Organizations using Cisco email security appliances must verify whether their Spam Quarantine feature is enabled by checking Network > IP Interfaces in the web management interface. Until Cisco releases a patch, administrators should implement all recommended mitigations including limiting internet access, deploying firewalls, separating mail and management functions, monitoring web logs, disabling HTTP for administrator portals, implementing strong authentication methods like SAML or LDAP, and changing default administrator passwords.
Read also: Inbound Email Security
Email gateways are targeted because they sit at the network perimeter and handle untrusted external content, making them attractive high-impact entry points.
Compromising network appliances allows attackers to bypass endpoint defenses entirely while gaining persistent, organization-wide access.
Yes, attackers can use them for credential harvesting, internal reconnaissance, traffic interception, and lateral movement.