**
China-linked APT UAT-9686 Targets Cisco Secure Email Gateway and Secure Email and Web Manager with Critical Zero-Day
**Cisco has disclosed a critical zero-day vulnerability, tracked as CVE-2025-20393, in its Secure Email Gateway and Secure Email and Web Manager products. The vulnerability is being actively exploited by a China-linked threat group.
The attack campaign, which was first detected on December 10, targets certain Secure Email Gateway appliances with exposed ports. This allows attackers to run root-level commands and plant persistence mechanisms on the affected devices.
Cisco reported that the attackers have exploited a Remote Command Execution Vulnerability (CVE-2025-20393) in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The exploitation of this vulnerability was discovered by Cisco's own Talos security experts.
"On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager," reads the advisory. "This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance."
The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain control over compromised appliances.
**
Attackers Deploy Custom Persistence Mechanism and Tools for Stealth and Long-Term Access
**Cisco Talos researchers have linked the activity to a China-linked APT tracked as UAT-9686, based on tooling and infrastructure overlaps with other China-nexus APTs. The attackers deploy a custom persistence mechanism dubbed "AquaShell," alongside tools for reverse tunneling and log deletion to maintain stealth and long-term access.
Aquashell is a lightweight Python backdoor embedded in a Cisco AsyncOS web server file that executes encoded shell commands sent via unauthenticated HTTP POST requests. It's installed by decoding a data blob into a modified index.py. Attackers used AquaPurge to erase traces by removing specific keywords from log files.
AquaTunnel, a Go-based ReverseSSH variant, allows attackers to establish persistent reverse SSH access to attacker servers, while Chisel enables HTTP-based tunneling to proxy traffic and pivot from compromised appliances into internal networks.
**
Indicators of Compromise (IoCs) and Recommendations
**Cisco shared indicators of compromise (IoCs) for this campaign. It's essential for users to review the IoCs and check their systems for any signs of compromise. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the zero-day Cisco to its Known Exploited Vulnerabilities catalog.
The analysis shows that only appliances running non-standard configurations, as outlined in Cisco's advisory, have been compromised, suggesting misconfigurations play a key role in exposure. It's crucial for users to review their configurations and ensure they are following best practices to prevent similar attacks.
**
Conclusion
**The exploitation of the CVE-2025-20393 vulnerability highlights the importance of regular security updates and patching. Users should prioritize updating their Secure Email Gateway and Secure Email and Web Manager products to protect against this critical zero-day vulnerability.
The China-linked APT UAT-9686's use of custom persistence mechanisms and tools for stealth and long-term access demonstrates the sophistication of modern threat actors. It's essential for organizations to stay vigilant and implement robust security measures to prevent similar attacks.