Cisco on Thursday launched security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software program for Cisco Safe Electronic mail Gateway and Cisco Safe Electronic mail and Internet Supervisor, almost a month after the corporate disclosed that it had been exploited as a zero-day by a China-nexus superior persistent risk (APT) actor codenamed UAT-9686.
The vulnerability, tracked as CVE-2025-20393 (CVSS rating: 10.0), is a distant command execution flaw arising because of inadequate validation of HTTP requests by the Spam Quarantine function. Profitable exploitation of the defect may allow an attacker to execute arbitrary instructions with root privileges on the underlying working system of an affected equipment.
Nonetheless, for the assault to work, three circumstances have to be met –
- The equipment is operating a weak launch of Cisco AsyncOS Software program
- The equipment is configured with the Spam Quarantine function
- The Spam Quarantine function is uncovered to and reachable from the web
Final month, the networking tools main revealed that it discovered proof of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling instruments like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleansing utility known as AquaPurge.
The assaults are additionally characterised by the deployment of a light-weight Python backdoor dubbed AquaShell that is able to receiving encoded instructions and executing them.
The vulnerability has now been addressed within the following variations, along with eradicating the persistence mechanisms that had been recognized on this assault marketing campaign and put in on the home equipment –
Cisco Electronic mail Safety Gateway
- Cisco AsyncOS Software program Launch 14.2 and earlier (Fastened in 15.0.5-016)
- Cisco AsyncOS Software program Launch 15.0 (Fastened in 15.0.5-016)
- Cisco AsyncOS Software program Launch 15.5 (Fastened in 15.5.4-012)
- Cisco AsyncOS Software program Launch 16.0 (Fastened in 16.0.4-016)
Safe Electronic mail and Internet Supervisor
- Cisco AsyncOS Software program Launch 15.0 and earlier (Fastened in 15.0.2-007)
- Cisco AsyncOS Software program Launch 15.5 (Fastened in 15.5.4-007)
- Cisco AsyncOS Software program Launch 16.0 (Fastened in 16.0.4-010)
Moreover, Cisco can be urging clients to observe hardening tips to forestall entry from the unsecured networks, safe the home equipment behind a firewall, monitor internet log site visitors for any surprising site visitors to/from home equipment, disable HTTP for the principle administrator portal, disable any community providers that aren’t required, implement a robust type of end-user authentication to the home equipment (e.g., SAML or LDAP), and alter the default administrator password to a safer variant.
