Cisco on Thursday launched safety updates for a maximum-severity safety flaw impacting Cisco AsyncOS Software program for Cisco Safe E-mail Gateway and Cisco Safe E-mail and Net Supervisor, practically a month after the corporate disclosed that it had been exploited as a zero-day by a China-nexus superior persistent risk (APT) actor codenamed UAT-9686.
The vulnerability, tracked as CVE-2025-20393 (CVSS rating: 10.0), is a distant command execution flaw arising because of inadequate validation of HTTP requests by the Spam Quarantine function. Profitable exploitation of the defect may allow an attacker to execute arbitrary instructions with root privileges on the underlying working system of an affected equipment.
Nonetheless, for the assault to work, three circumstances have to be met –
- The equipment is operating a weak launch of Cisco AsyncOS Software program
- The equipment is configured with the Spam Quarantine function
- The Spam Quarantine function is uncovered to and reachable from the web
Final month, the networking tools main revealed that it discovered proof of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling instruments like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleansing utility referred to as AquaPurge.
The assaults are additionally characterised by the deployment of a light-weight Python backdoor dubbed AquaShell that is able to receiving encoded instructions and executing them.
The vulnerability has now been addressed within the following variations, along with eradicating the persistence mechanisms that have been recognized on this assault marketing campaign and put in on the home equipment –
Cisco E-mail Safety Gateway
- Cisco AsyncOS Software program Launch 14.2 and earlier (Mounted in 15.0.5-016)
- Cisco AsyncOS Software program Launch 15.0 (Mounted in 15.0.5-016)
- Cisco AsyncOS Software program Launch 15.5 (Mounted in 15.5.4-012)
- Cisco AsyncOS Software program Launch 16.0 (Mounted in 16.0.4-016)
Safe E-mail and Net Supervisor
- Cisco AsyncOS Software program Launch 15.0 and earlier (Mounted in 15.0.2-007)
- Cisco AsyncOS Software program Launch 15.5 (Mounted in 15.5.4-007)
- Cisco AsyncOS Software program Launch 16.0 (Mounted in 16.0.4-010)
Moreover, Cisco can also be urging clients to comply with hardening tips to forestall entry from the unsecured networks, safe the home equipment behind a firewall, monitor internet log visitors for any surprising visitors to/from home equipment, disable HTTP for the primary administrator portal, disable any community companies that aren’t required, implement a powerful type of end-user authentication to the home equipment (e.g., SAML or LDAP), and alter the default administrator password to a safer variant.
