Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways: CVE-2025-20393 (CVSS 10.0)

Estimated reading time: 9 minutes

Key Takeaways:

  • Critical Vulnerability: CVE-2025-20393 is a CVSS 10.0 remote command execution flaw in Cisco AsyncOS.
  • Active Exploitation: The China-linked APT UAT-9686 has been targeting Secure Email Gateways (SEG) since November 2025.
  • Sophisticated Toolkit: Attackers deployed specialized tools including AquaShell (backdoor), AquaTunnel, and AquaPurge (log cleaner).
  • Immediate Action Required: Organizations must apply Cisco’s security updates to AsyncOS 15.0, 15.5, and 16.0 immediately.

Table of Contents:

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

Cisco has released critical security updates to address a maximum-severity vulnerability in its AsyncOS Software. The flaw, identified as CVE-2025-20393, allows for remote command execution (RCE) on affected devices. Intelligence reports indicate that a China-linked advanced persistent threat (APT) group, designated as UAT-9686, has been exploiting this zero-day vulnerability since late November 2025. The primary targets of this campaign include Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager appliances.

The vulnerability carries a CVSS score of 10.0, reflecting its potential for complete system compromise. This remote command execution flaw stems from insufficient validation of HTTP requests within the Spam Quarantine feature of the Cisco AsyncOS Software. If an attacker successfully exploits this defect, they can execute arbitrary commands with root privileges on the underlying operating system of the appliance.

For an attack to be successful, three specific environmental conditions must be met:

  1. The appliance must be running a vulnerable version of Cisco AsyncOS.
  2. The Spam Quarantine feature must be configured and active.
  3. The Spam Quarantine interface must be accessible from the internet.

When these conditions align, an unauthenticated remote attacker can send crafted HTTP requests to the device to gain unauthorized access and administrative control. Data from a cyber threat intelligence platform indicates that UAT-9686 is a disciplined actor focused on maintaining long-term persistence within high-value networks. By targeting email gateways, the adversary can intercept sensitive communications, perform lateral movement, and establish a beachhead for broader network intrusions.

Technical Analysis of CVE-2025-20393 (CVSS 10.0)

The root cause of CVE-2025-20393 is a failure in the input sanitization routines of the AsyncOS web management interface, specifically concerning the Spam Quarantine component. The system does not properly filter metadata or control characters within incoming HTTP requests. By injecting specific command sequences into these requests, an attacker can bypass the intended application logic and interact directly with the system shell.

Because the Spam Quarantine service often requires external access to allow end-users to manage filtered emails, it represents a significant attack surface. In many organizations, this feature is placed in a DMZ or exposed directly to the internet to facilitate user interaction. This exposure is exactly what UAT-9686 utilized to conduct their initial intrusions.

Effective breach detection in this context requires monitoring for anomalous HTTP POST requests directed at the /euq/ (End User Quarantine) directory or associated web services.

Furthermore, unexpected child processes spawning from the web server process (such as sh, python, or perl) serve as critical indicators of exploitation.

Threat Actor Profile: UAT-9686 and the “Aqua” Toolkit

UAT-9686 is an APT group with a strategic nexus to China. Their operations are characterized by the use of custom malware and legitimate tunneling tools to bypass security controls. In the campaign targeting CVE-2025-20393, the actor deployed several specialized artifacts designed for persistence and stealth.

AquaShell Backdoor
The centerpiece of the post-exploitation phase is AquaShell, a lightweight Python-based backdoor. AquaShell is designed to receive encoded commands via the network, execute them on the local system, and return the output. Its Python-based nature allows it to run natively on the AsyncOS environment without requiring complex compilation, making it difficult to detect via traditional file-based signatures.

AquaTunnel (ReverseSSH) and Chisel
To maintain access after the initial RCE, the actors deployed ReverseSSH (internally referred to as AquaTunnel) and Chisel. Both are widely available open-source tools used for creating secure tunnels through firewalls. Chisel, in particular, allows for SOCKS5 tunneling over HTTP, which helps blend malicious traffic with legitimate web traffic. This tactic effectively circumvents standard egress filtering.

AquaPurge Log Cleaner
To evade forensic analysis, UAT-9686 utilized a utility called AquaPurge. This tool is specifically designed to scrub system logs and remove evidence of the actor’s presence. By targeting the logs that record login attempts, command history, and service restarts, AquaPurge significantly complicates the incident response process. Organizations that do not ingest logs into a central cyber threat intelligence platform in real-time are particularly vulnerable to this anti-forensic technique.

Broader APT Activity: UAT-8837 and Sitecore (CVE-2025-53690)

The exploitation of Cisco Secure Email Gateways is part of a larger trend of China-linked actors targeting edge devices and critical infrastructure. Recent research has identified another cluster, UAT-8837, which utilized a zero-day in Sitecore (CVE-2025-53690, CVSS 9.0) to gain access to North American critical infrastructure.

UAT-8837’s TTPs involve obtaining initial access and then deploying a suite of tools for Active Directory (AD) reconnaissance and credential harvesting. These tools include:

  • GoTokenTheft: Used for stealing access tokens to bypass multi-factor authentication.
  • EarthWorm: A SOCKS tunneler for internal network pivot.
  • DWAgent: Provides persistent remote access.
  • SharpHound & Certipy: Used for mapping AD structures and identifying misconfigured certificate services.

While UAT-9686 and UAT-8837 use different initial access vectors, their goal remains consistent: the extraction of sensitive information and the establishment of long-term access. This includes the exfiltration of DLL-based shared libraries, which may be used for future supply-chain risk monitoring research or to facilitate trojanization of legitimate software.

Remediation and Patching Schedule

Cisco has addressed CVE-2025-20393 in multiple release branches of AsyncOS. In addition to fixing the vulnerability, these updates are designed to remove identified persistence mechanisms associated with the UAT-9686 campaign.

Cisco Email Security Gateway (SEG) Fixed Versions:

  • AsyncOS 14.2 and earlier: Upgrade to 15.0.5-016
  • AsyncOS 15.0: Upgrade to 15.0.5-016
  • AsyncOS 15.5: Upgrade to 15.5.4-012
  • AsyncOS 16.0: Upgrade to 16.0.4-016

Secure Email and Web Manager Fixed Versions:

  • AsyncOS 15.0 and earlier: Upgrade to 15.0.2-007
  • AsyncOS 15.5: Upgrade to 15.5.4-007
  • AsyncOS 16.0: Upgrade to 16.0.4-010

Organizations must verify their current versioning and apply these patches immediately, as the exploit code is known to be in the hands of sophisticated state-sponsored groups.

Implementation of Hardening Measures

In addition to patching, Cisco recommends several hardening steps to reduce the risk of exploitation. These measures should be part of a broader security strategy that includes real-time ransomware intelligence and comprehensive network monitoring.

  1. Network Segmentation: Secure the appliance behind a dedicated firewall and limit access to the Spam Quarantine feature to known IP ranges where possible.
  2. Protocol Disabling: Disable HTTP for the main administrator portal; only HTTPS should be permitted for management tasks.
  3. Service Reduction: Disable any network services that are not strictly necessary for the operation of the gateway.
  4. Enhanced Authentication: Implement SAML or LDAP for end-user and administrator authentication to prevent the use of compromised local credentials.
  5. Password Hygiene: Change default administrator passwords immediately and enforce complex rotation policies.

Monitoring web log traffic for unexpected requests to the /euq/ path is essential. If logs show the execution of Python scripts or the presence of tools like Chisel, the system should be considered compromised.

The Role of Intelligence in Gateway Security

The targeting of Cisco SEGs underscores the importance of dark web monitoring service capabilities. State-sponsored actors often acquire information about zero-day vulnerabilities or compromised credentials through specialized channels. Monitoring for discussions related to Cisco AsyncOS exploits or leaked administrative credentials can provide the early warning needed to prevent an intrusion.

Furthermore, underground forum intelligence can reveal the development of new tunneling tools or modifications to existing backdoors like AquaShell. By staying ahead of the adversary’s tool development lifecycle, security teams can update their detection signatures before an attack occurs.

For organizations managing a large number of perimeter devices, integrating a live ransomware API and brand leak alerting service can help identify if their specific infrastructure is being targeted in the reconnaissance phase of an APT campaign. Actors like UAT-9686 often perform extensive scanning of internet-facing assets before choosing a target.

Practical Takeaways for Technical Teams

  • Audit Perimeter Assets: Use automated scanning tools to identify all Cisco SEG and Secure Email and Web Manager instances. Ensure that the Spam Quarantine feature is not exposed to the public internet unless absolutely necessary.
  • Examine System Logs: Look for evidence of AquaPurge activity, which involves the sudden deletion of large segments of log data or the modification of log rotation scripts.
  • Search for IoCs: Scan the filesystem for Python files that do not belong to the standard Cisco AsyncOS distribution. Specifically, look for scripts capable of base64 decoding and executing strings, which is a hallmark of AquaShell.
  • Monitor Outbound Traffic: Track outbound connections on non-standard ports, especially those associated with Chisel or ReverseSSH.
  • Implement Centralized Logging: Ensure that all system and web logs are forwarded to a secure, off-box location that cannot be modified by a local root user.

Practical Takeaways for Business Leaders

  • Resource Allocation: Prioritize the patching of internet-facing security appliances. These devices are often the first target for APT actors looking to gain a foothold.
  • Vendor Communication: Engage with hardware vendors to ensure a clear understanding of the shared responsibility model regarding security updates and zero-day response.
  • Risk Assessment: Evaluate the necessity of exposing email management features to the internet. If the business risk of an RCE outweighs the convenience of remote quarantine management, consider restricting access to VPN-only.
  • Incident Response Preparedness: Ensure that the incident response team has the necessary training to investigate specialized appliances like SEGs, which often run proprietary or hardened operating systems that differ from standard Windows or Linux environments.

Strategic Context of Global Threat Activity

The exploitation of CVE-2025-20393 is not an isolated event. It follows a series of high-profile zero-day exploitations by China-nexus actors, including the recent targeting of Fortinet FortiSIEM (CVE-2025-64155) and ongoing campaigns against telecommunications providers by UAT-7290.

UAT-7290 has been observed using malware families like RushDrop and SilentRaid to target entities in South Asia and Europe. The commonality across these groups is their focus on edge infrastructure-firewalls, VPN gateways, and email servers. These devices often lack the same level of endpoint detection and response (EDR) coverage as standard workstations, making them ideal for silent persistence.

The use of telegram threat monitoring has become increasingly relevant as actors use various messaging platforms to coordinate activities or trade information about vulnerable infrastructure. Security operations centers must incorporate these non-traditional data sources into their daily workflows to maintain a complete picture of the threat landscape.

PurpleOps Expertise and Services

PurpleOps provides the technical expertise and specialized services required to defend against sophisticated APT actors like UAT-9686. Our approach combines deep technical analysis with proactive threat hunting to identify and mitigate risks before they result in data exfiltration.

Our Cyber Threat Intelligence service provides organizations with actionable data on emerging zero-day vulnerabilities and actor-specific TTPs. By leveraging our platform, security teams can receive early warnings about campaigns targeting Cisco infrastructure.

To address the risks associated with edge device compromise, PurpleOps offers and Red Team Operations. These services simulate the tactics of state-sponsored actors, allowing organizations to test their detection and response capabilities in a controlled environment.

Furthermore, our Dark Web Monitoring and Supply Chain Information Security services ensure that organizations are aware of leaked credentials or trojanized software components that could be used to facilitate an intrusion. We help businesses understand their exposure across the entire digital ecosystem, from internet-facing gateways to third-party vendors.

For organizations concerned about the impact of ransomware following an initial breach, our Protect Against Ransomware services provide the architectural guidance and technical controls necessary to prevent lateral movement and data destruction.

For more information on how PurpleOps can secure your infrastructure against advanced threats or to schedule a consultation with our analysts, visit our PurpleOps Solutions page or explore our comprehensive Security Platform.

Frequently Asked Questions

What is CVE-2025-20393?
It is a critical remote command execution (RCE) vulnerability in Cisco AsyncOS Software with a CVSS score of 10.0, primarily affecting the Spam Quarantine feature.

Who is exploiting this vulnerability?
The China-linked APT group UAT-9686 has been observed exploiting this flaw to deploy backdoors and maintain persistence in target networks.

How can I tell if my Cisco SEG is compromised?
Look for anomalous HTTP POST requests to the /euq/ directory, unexpected Python processes, or signs of log deletion caused by the AquaPurge utility.

What are the fixed versions of AsyncOS?
Fixed versions include AsyncOS 15.0.5-016, 15.5.4-012, and 16.0.4-016 for SEG, and 15.0.2-007, 15.5.4-007, and 16.0.4-010 for Secure Email and Web Manager.

Why is the Spam Quarantine feature targeted?
It is often exposed to the internet to allow users to manage filtered mail, making it an accessible entry point for unauthenticated remote attacks.