Jan 16, 2026Ravie LakshmananVulnerability / Internet Safety
Cisco on Thursday launched safety updates for a maximum-severity safety flaw impacting Cisco AsyncOS Software program for Cisco Safe E mail Gateway and Cisco Safe E mail and Internet Supervisor, almost a month after the corporate disclosed that it had been exploited as a zero-day by a China-nexus superior persistent menace (APT) actor codenamed UAT-9686.
The vulnerability, tracked as CVE-2025-20393 (CVSS rating: 10.0), is a distant command execution flaw arising because of inadequate validation of HTTP requests by the Spam Quarantine function. Profitable exploitation of the defect might allow an attacker to execute arbitrary instructions with root privileges on the underlying working system of an affected equipment.
Nevertheless, for the assault to work, three situations have to be met –
The equipment is working a weak launch of Cisco AsyncOS Software program
The equipment is configured with the Spam Quarantine function
The Spam Quarantine function is uncovered to and reachable from the web
Final month, the networking tools main revealed that it discovered proof of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling instruments like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleansing utility known as AquaPurge.
The assaults are additionally characterised by the deployment of a light-weight Python backdoor dubbed AquaShell that is able to receiving encoded instructions and executing them.
The vulnerability has now been addressed within the following variations, along with eradicating the persistence mechanisms that have been recognized on this assault marketing campaign and put in on the home equipment –
Cisco E mail Safety Gateway
Cisco AsyncOS Software program Launch 14.2 and earlier (Mounted in 15.0.5-016)
Cisco AsyncOS Software program Launch 15.0 (Mounted in 15.0.5-016)
Cisco AsyncOS Software program Launch 15.5 (Mounted in 15.5.4-012)
Cisco AsyncOS Software program Launch 16.0 (Mounted in 16.0.4-016)
Safe E mail and Internet Supervisor
Cisco AsyncOS Software program Launch 15.0 and earlier (Mounted in 15.0.2-007)
Cisco AsyncOS Software program Launch 15.5 (Mounted in 15.5.4-007)
Cisco AsyncOS Software program Launch 16.0 (Mounted in 16.0.4-010)
Moreover, Cisco can be urging clients to observe hardening tips to stop entry from the unsecured networks, safe the home equipment behind a firewall, monitor internet log visitors for any surprising visitors to/from home equipment, disable HTTP for the primary administrator portal, disable any community providers that aren’t required, implement a robust type of end-user authentication to the home equipment (e.g., SAML or LDAP), and alter the default administrator password to a safer variant.
