{
	"id": "917f5c4e-ba4a-4241-8506-73e8f40756ad",
	"created_at": "2026-04-06T00:09:02.01457Z",
	"updated_at": "2026-04-10T03:36:01.265943Z",
	"deleted_at": null,
	"sha1_hash": "bb97e325e6de5e470f7a6f851534518cf7b1cd28",
	"title": "Zero-Day Crisis: CVE-2025-20393 Unpatched on Cisco Email Gateways, Exploited by China-Linked Hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 397211,
	"plain_text": "Zero-Day Crisis: CVE-2025-20393 Unpatched on Cisco Email\r\nGateways, Exploited by China-Linked Hackers\r\nBy Santosh Sethuraman\r\nPublished: 2025-12-23 · Archived: 2026-04-05 18:09:37 UTC\r\nNetwork edge devices continue to be a primary target for sophisticated state-sponsored actors aiming to bypass\r\ntraditional perimeter defenses. Recent disclosures reveal a critical zero-day vulnerability in Cisco’s Secure Email\r\nGateway (SEG) and Secure Web Manager (SMA) appliances is being actively exploited by a suspected Chinese\r\nthreat group to establish deep persistence within high-value networks.\r\nAt the center of this activity is a highly sophisticated espionage campaign attributed to the threat cluster tracked\r\nas UAT-9686 . Exploiting a critical flaw in the Cisco AsyncOS Spam Quarantine interface, these actors are\r\ndeploying a custom malware suit, including the AquaShell malware, to maintain long-term root access and pivot\r\ninto internal networks.\r\nBackground on UAT-9686 Operations\r\nUAT-9686 is a suspected Chinese state-sponsored threat group with a history of targeting networking\r\ninfrastructure and edge appliances. Unlike financially motivated cybercriminals, UAT-9686 operations are\r\ncharacterized by:\r\nZero-Day Discovery: Capability to identify and weaponize unknown vulnerabilities in proprietary\r\nnetwork appliances.\r\nhttps://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/\r\nPage 1 of 4\n\nCustom Tooling: Development of specialized malware (AquaShell, AquaPurge) tailored for specific\r\noperating systems like Cisco AsyncOS.\r\nStealth \u0026 Anti-Forensics: Heavy emphasis on log manipulation and “living off the land” to evade\r\ndetection.\r\nDeep Persistence: establishing footholds that survive reboots and standard security scans.\r\nIn this specific campaign, the group has focused on bypassing authentication mechanisms in the Spam Quarantine\r\nfeature to gain root-level control over email security appliances, effectively turning security tools into espionage\r\nplatforms.\r\nCampaign Overview\r\nThe UAT-9686 campaign demonstrates a methodical effort to compromise the communication infrastructure of\r\ntargeted organizations.\r\nPrimary Targets\r\nTelecommunications and critical infrastructure sectors.\r\nOrganizations utilizing Cisco Secure Email Gateway (ESA) and Secure Email and Web Manager (SMA).\r\nKey Characteristics\r\nExploitation of the Spam Quarantine interface (Port 6025) via HTTP packet manipulation.\r\nDeployment of Python-based malwares directly onto the appliance.\r\nUse of specialized “wiper” tools to selectively scrub forensic evidence.\r\nVulnerabilities Details\r\nThe campaign relies on a critical zero-day vulnerability that allows remote code execution (RCE) with root\r\nprivileges.\r\nVulnerability ID: CVE-2025-20393\r\nAffected Products: Cisco AsyncOS versions up to and including 16.0.3-044 on Cisco Secure Email\r\nGateway and Cisco Secure Email and Web Manager\r\nCVSS Score: 10.0 (Critical)\r\nEPSS Score: 4.56%\r\nInfection Method\r\nInitial Access\r\nAttackers target the Spam Quarantine feature enabled on the management interface of the Cisco appliance. By\r\nsending specially crafted, unauthenticated HTTP POST requests to the exposed service (typically on port 6025),\r\nthe attackers trigger an improper input validation flaw.\r\nExploitation\r\nSuccessful exploitation grants the attacker root-level privileges on the underlying AsyncOS operating system.\r\nhttps://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/\r\nPage 2 of 4\n\nThis allows them to bypass the restricted CLI typically available to administrators and interact directly with the\r\nOS shell.\r\nPayload Delivery\r\nOnce root access is achieved, UAT-9686 deploys a suite of custom Python scripts. Since AsyncOS includes a\r\nPython interpreter by default, these scripts execute natively without requiring external dependencies, reducing the\r\nforensic footprint.\r\nExecution \u0026 Persistence\r\nThe actors utilize a modular malware toolkit to maintain control:\r\nAquaShell: A custom Python malware that acts as a passive listener. It allows attackers to execute\r\narbitrary system commands covertly.\r\nAquaTunnel: A tool designed to establish reverse SSH tunnels, ensuring persistent remote access even if\r\nthe appliance is behind a firewall.\r\nChisel: The open-source tunneling tool is often deployed alongside custom malware to facilitate traffic\r\nrouting and lateral movement into the internal network.\r\nDefense Evasion\r\nTo avoid detection, the group deploys AquaPurge, a specialized log-wiping utility. AquaPurge selectively\r\nremoves entries related to the attacker’s activities from system logs while leaving legitimate traffic intact,\r\ncomplicating incident response efforts.\r\nCommand-and-Control (C2)\r\nCommand-and-control is achieved through passive listening malwares (AquaShell) that avoid beaconing, and\r\nencrypted tunnels (AquaTunnel/Chisel) to route traffic through SSH channels.\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Description\r\nInitial Access T1190: Exploit Public-Facing App\r\nExploiting exposed Spam\r\nQuarantine (Port 6025).\r\nPrivilege\r\nEscalation\r\nT1068: Exploitation for Privilege\r\nEscalation\r\nExploiting CVE-2025-20393 for\r\nroot access.\r\nExecution T1059.006: Python Scripting\r\nNative Python execution for\r\nAquaShell.\r\nPersistence T1572: Protocol Tunneling\r\nReverse SSH tunnels via\r\nAquaTunnel.\r\nDefense Evasion\r\nT1070: Indicator Removal on\r\nHost\r\nAquaPurge wipes logs and\r\nforensics.\r\nhttps://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/\r\nPage 3 of 4\n\nCommand \u0026\r\nControl\r\nT1105: Ingress Tool Transfer\r\nDropping custom scripts onto\r\nappliance.\r\nLateral\r\nMovement\r\nT1573: Encrypted Channel Chisel tunnels traffic internally.\r\nVisual Flow\r\nInternet (Attacker) -\u003e Port 6025 (Spam Quarantine Exploit) -\u003e Root Access (AsyncOS) -\u003e Drop\r\nAquaShell/AquaPurge -\u003e Log Wiping (Anti-Forensics) -\u003e Reverse SSH Tunnel -\u003e Internal Network Access\r\nMitigation Steps\r\nGiven that this vulnerability was exploited as a zero-day, immediate mitigation is critical.\r\nDisable Spam Quarantine: If not strictly necessary, disable the Spam Quarantine feature on the\r\nESA/SMA appliances immediately.\r\nRestrict Access (ACLs): If the feature is required, use firewall rules or Access Control Lists (ACLs) to\r\nblock access to port 6025 from the public internet. Ensure only trusted internal management IPs can access\r\nthis port.\r\nMonitor System Logs: While AquaPurge attempts to scrub logs, look for gaps in logging, unexpected\r\nPython process execution, or unauthorized SSH connections initiated from the appliance.\r\nIsolate Management Interfaces: Ensure the management interface is physically or logically separated\r\nfrom the public network and strictly VPN-gated.\r\nInstantly Fix Risks with Saner Patch Management\r\nSaner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited\r\nin the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+\r\nthird-party applications.\r\nIt also allows you to set up a safe testing area to test patches before deploying them in a primary production\r\nenvironment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a\r\nsystem malfunction.\r\nExperience the fastest and most accurate patching software here.\r\nRead more articles\r\nSource: https://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hacker\r\ns/\r\nhttps://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.secpod.com/blog/zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers/"
	],
	"report_names": [
		"zero-day-crisis-cve-2025-20393-unpatched-on-cisco-email-gateways-exploited-by-china-linked-hackers"
	],
	"threat_actors": [
		{
			"id": "9c730914-2af2-4434-bd4c-55530664c4a2",
			"created_at": "2026-01-18T02:00:03.066637Z",
			"updated_at": "2026-04-10T02:00:03.905041Z",
			"deleted_at": null,
			"main_name": "UAT-9686",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-9686",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434142,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb97e325e6de5e470f7a6f851534518cf7b1cd28.pdf",
		"text": "https://archive.orkl.eu/bb97e325e6de5e470f7a6f851534518cf7b1cd28.txt",
		"img": "https://archive.orkl.eu/bb97e325e6de5e470f7a6f851534518cf7b1cd28.jpg"
	}
}