Targeted Exploitation of Cisco Secure Email Gateway and Web Manager by UAT-9686
Cisco has confirmed that a sophisticated cyberattack campaign is actively targeting a subset of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS Software. The attackers are exploiting a critical vulnerability, tracked as CVE-2025-20393, which allows them to execute arbitrary commands with root privileges on affected systems. Cisco's investigation has revealed that the threat actors have deployed a persistence mechanism to maintain control over compromised appliances, and there are currently no available workarounds. Customers are strongly advised to follow Cisco's mitigation guidance to assess exposure and reduce risk.
Cisco Talos has attributed this campaign to a Chinese-nexus advanced persistent threat (APT) group, tracked as UAT-9686. The attackers have deployed a custom Python-based backdoor called "AquaShell," along with additional tools for reverse tunneling and log purging, such as AquaTunnel and AquaPurge. The campaign has been ongoing since at least late November 2025 and primarily affects appliances with non-standard configurations exposed to the internet. The attack highlights the importance of securing management interfaces and promptly applying vendor-recommended mitigations to prevent further compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-20393 to the KEV catalog
Following Cisco's disclosure, CISA added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, formally recognizing active exploitation. Multiple reports say federal agencies were directed to apply mitigations by December 24, 2025.
Cisco advises rebuilding compromised appliances
Alongside its disclosure, Cisco warned that if compromise is confirmed, affected appliances should be rebuilt because attacker persistence may survive simpler remediation. It also recommended restricting internet exposure of Spam Quarantine and tightening access controls while awaiting a fix.
Cisco discloses CVE-2025-20393 and issues security advisory
Cisco publicly disclosed the critical unauthenticated remote command execution flaw CVE-2025-20393 on December 17, 2025, confirming active exploitation in Secure Email Gateway and Secure Email and Web Manager. The company issued an advisory, published indicators of compromise and mitigation guidance, and said no patch was yet available.
Cisco identifies the threat campaign and vulnerability
Cisco became aware of the campaign and identified the underlying vulnerability on December 10, 2025. Reporting indicates Cisco began investigating active exploitation of the flaw affecting exposed AsyncOS appliances at that time.
Attackers deploy AquaShell and related post-compromise tooling
After initial compromise, the attackers installed the AquaShell Python backdoor for persistence and used AquaTunnel/ReverseSSH, chisel, and AquaPurge to tunnel access, move laterally, and purge logs. Cisco Talos later noted overlaps in tactics and infrastructure with Chinese APT activity including APT41 and UNC5174.
UAT-9686 begins exploiting Cisco AsyncOS zero-day
A China-linked threat actor tracked as UAT-9686 began exploiting the now-tracked CVE-2025-20393 against Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The activity has been reported as ongoing since at least late November 2025 and targeted appliances with internet-exposed Spam Quarantine or other non-standard exposed configurations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
23 references tracked. Mallory keeps watching after this page renders.
CVE-2025-20393: Threat Campaign Targeting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager
arcticwolf.com
Open sourceCVE-2025-20393: Threat Campaign Targeting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager
arcticwolf.com
Open sourceChina-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager
securityaffairs.com
Open sourceCisco AsyncOS 0-Day Vulnerability Exploited in the Wild to run System-level Commands
cybersecuritynews.com
Open sourceReports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager
sec.cloudapps.cisco.com
Open sourceUAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
blog.talosintelligence.com
Open sourceCisco email security appliances rooted and backdoored via still unpatched zero-day
helpnetsecurity.com
Open sourceCisco warns of unpatched AsyncOS zero-day exploited in attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco AsyncOS CVE-2025-20393 Zero-Day Exploited Against Secure Email Appliances
Cisco released fixes for a maximum-severity vulnerability in *AsyncOS* (tracked as **CVE-2025-20393**, **CVSS 10.0**) affecting **Cisco Secure Email Gateway (SEG)** and **Secure Email and Web Manager (SEWM)** appliances. Cisco reported the issue was exploited as a zero-day in attacks against a limited subset of internet-exposed appliances, enabling attackers to execute arbitrary commands with **root** privileges on the underlying operating system. The flaw was attributed to insufficient HTTP request validation in the **Spam Quarantine** feature, allowing crafted HTTP requests to trigger root-level command execution. Cisco and Cisco Talos attributed the exploitation activity to **UAT-9686**, described as a China-linked threat group, with activity observed since at least late November 2025 and detected by Cisco on December 10. Cisco stated the intrusions included deployment of a **persistence mechanism** to maintain control over compromised appliances, and indicated that the released software updates both remediate the vulnerability and remove related persistence mechanisms; Cisco urged affected customers to upgrade to fixed releases per the updated advisory.
Apr 14, 2026
Critical Zero-Day Exploitation of Cisco Security Appliances
Multiple critical zero-day vulnerabilities have been exploited in Cisco security products, targeting both email security appliances and network firewalls. A China-linked APT, identified as UAT-9686, exploited a zero-day vulnerability (CVE-2025-20393) in Cisco email security appliances running AsyncOS, specifically when the Spam Quarantine feature is internet-accessible. This flaw allows attackers to gain root privileges, posing a severe risk to organizations relying on these appliances for email protection. In parallel, Cisco Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software have been targeted by a separate espionage campaign, linked to the ArcaneDoor threat actor, exploiting multiple zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) to achieve unauthenticated remote code execution and persistent access, even after system reboots or upgrades. These campaigns have prompted emergency directives from CISA and highlight the ongoing threat to perimeter network devices. Attackers have leveraged these vulnerabilities to establish persistent footholds, manipulate device memory, and potentially pivot deeper into victim networks. The vulnerabilities affecting ASA and FTD firewalls were publicly disclosed and patched, but the email security appliance zero-day remains unpatched, increasing the urgency for organizations to review their exposure and apply mitigations where possible.
Mar 21, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026