Cybersecurity

Cisco Warns Of Active Attacks Exploiting Unpatched 0-day In Asyncos...

2025-12-18 0 views admin
Cisco Warns Of Active Attacks Exploiting Unpatched 0-day In Asyncos...

Cisco has alerted users of a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it has singled out a "limited subset of appliances" with certain ports open to the internet. It's currently not known how many customers are affected.

"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco said in an advisory. "The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances."

The as-yet-unpatched vulnerability is being tracked as CVE-2025-20393, and carries a CVSS score of 10.0. It concerns a case of improper input validation that allows threat actors to execute malicious instructions with elevated privileges on the underlying operating system.

All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, the following conditions have to be met for both physical and virtual versions of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances -

It's worth noting that the Spam Quarantine feature is not enabled by default. To check if it's enabled, users are advised to follow the steps -

The exploitation activity observed by Cisco dates back to at least late November 2025, with UAT-9686 weaponizing the vulnerability to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, as well as a log cleaning utility called AquaPurge. The use of AquaTunnel has been previously associated with Chinese hacking groups like APT41 and UNC5174.

Also deployed in the attacks is a lightweight Python backdoor dubbed AquaShell that's capable of receiving encoded commands and executing them.

"It listens passively for unauthenticated HTTP POST requests containing specially crafted data," Cisco said. "If such a request is identified, the backdoor will then attempt to parse the contents using a custom decoding routine and execute them in the system shell."

In the absence of a patch, users are advised to restore their appliances to a secure configuration, limit access from the internet, secure the devices behind

Source: The Hacker News

🏷️ Tags

hackvulnerabilitycveattackthreat

More from Cybersecurity

China-aligned Threat Group Uses Windows Group Policy To Deploy...

China-aligned Threat Group Uses Windows Group Policy To Deploy...

2025-12-18 0
New Password Spraying Attacks Target Cisco, Pan VPN Gateways

New Password Spraying Attacks Target Cisco, Pan VPN Gateways

2025-12-18 0
Us Seizes E-note Crypto Exchange For Laundering Ransomware Payments

Us Seizes E-note Crypto Exchange For Laundering Ransomware Payments

2025-12-18 0
New Nis2 Compliance: How To Get Passwords And Mfa Right 2025

New Nis2 Compliance: How To Get Passwords And Mfa Right 2025

2025-12-18 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views