Cisco Email Security Products Under Active Attack

Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances are currently being actively exploited by a China-linked advanced persistent threat (APT) group tracked as UAT-9686, with known associations to APT41 and UNC5174. Cisco’s Product Security Incident Response Team (PSIRT) identified the activity during a Technical Assistance Center (TAC) support investigation, with evidence indicating the campaign had been ongoing prior to detection.
The attacks exploit a critical zero-day vulnerability, CVE-2025-20393 (CVSS 10.0), affecting Cisco AsyncOS. The flaw is caused by improper input validation in the Spam Quarantine feature when it is enabled and exposed to the internet (not enabled by default). Successful exploitation enables unauthenticated remote code execution (RCE) with root-level privileges via crafted HTTP POST requests to port 6025, granting full operating system shell access.
After gaining access, the threat actor deploys a custom Python-based malware toolkit that abuses AsyncOS’s built-in Python interpreter. This toolkit includes AquaShell, a persistent backdoor for remote command execution; AquaTunnel and Chisel, which establish reverse SSH tunnels to support command-and-control (C2) operations and lateral movement; and AquaPurge, a log-wiping utility designed to evade detection and hinder forensic investigation. Observed targets primarily include telecommunications providers and critical infrastructure organizations operating with non-standard configurations that expose the vulnerable feature.
Cisco recommends immediate verification of Spam Quarantine settings, network hardening, and close monitoring for indicators of compromise associated with the identified tools. While a security patch is not yet available, mitigation workarounds have been provided. The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring prompt remediation by affected organizations.
This activity demonstrates how perimeter misconfigurations can turn defensive email security appliances into high-impact espionage footholds, reinforcing the importance of secure configuration management and continuous monitoring.