This is a high severity, actively exploited zero-day targeting Cisco AsyncOS appliances exposed to the internet. Immediate access restrictions, segmentation, threat monitoring, and preparation for incident response and patch deployment are critical defenses until an official fix is released. 

Vulnerability: CVE202520393, a critical, unpatched remote code execution (RCE) zero-day within Cisco AsyncOS for Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, affecting only non-standard configurations with the Spam Quarantine feature exposed to the internet.  

Threat Actors: Cisco Talos attributes these attacks to UAT9686, a Chinese affiliated advanced persistent threat (APT) group. Tooling overlaps suggest connections to UNC5174 and APT41. 

Timeline: Initial detection recorded on December 10, 2025, but believed active since at least late November 2025. 

 

Technical Details: 

Component 

Description 

Affected 

Cisco SEG and SEWM appliances on AsyncOS with internet-exposed Spam Quarantine interfaces. 

Attack Vector 

Exploits the exposed Spam Quarantine endpoint, enabling unauthenticated RCE as root.  

Post-Exploitation Tools 

AquaShell: A custom persistence mechanism. 
AquaTunnel & Chisel: Reverse SSH tunnel malware. 
AquaPurge: Log-cleaning utility 
 

Indicators of Compromise (IOCs) 

Available on Cisco Talos’ GitHub repository - https://github.com/Cisco-Talos/IOCs/tree/main/2025/12 

 

Risk Impact 

  • High Severity: Trusted root-level control achieved via RCE. 
  • Widespread Exposure Risk: Any appliance with Spam Quarantine publicly accessible is vulnerable. 
  • Persistent Threat: Potential for undetected stealthy access and data exfiltration via reverse tunnels and log clearing. 
  • Nation-State Level Actor: Attribution to a Chinese APT indicates high intent, capability, and expanded targeting scope. 

 

Adversary Tactics, Techniques and Procedures (TTPs): 

  • Initial Compromise: Exploitation of the zero-day via publicly-facing Spam Quarantine interface.  
  • Privilege Escalation: Immediate root access enabling full control.  
  • Persistence & Lateral Movement 
  • Installation of AquaShell. 
  • Deployment of AquaTunnel/Chisel for reverse SSH tunnelling. 
  • AquaPurge used to remove evidence. 
  • Attribution Evidence: Shared tooling and infrastructure align with behaviours of known Chinese threat actors UNC5174 and APT41. 

Indicators of Compromise (IOCs): 

Cisco Talos' GitHub repository includes: 

  • File hashes and filenames for AquaShell, AquaTunnel, Chisel, AquaPurge. 
  • Network indicators and C2 domains/IP addresses. 
  • Specific log artifacts tied to tunnel activity and log-clearing events.  

All IOCs, including IPs and file hashes determined to be associated with this campaign have been blocked across the Cisco portfolio. However, Integrity360 recommends that the IOCs are pulled from the GitHub repository and integrate it into SIEM or EDR/XDR platforms promptly. 

 

Copy of Trends image

 

Mitigation & Response Recommendations 

Immediate Workarounds (Until Patch Is Released) 

  • Restrict Access: 
  • Block external access to Spam Quarantine endpoints. 
  • Limit interface exposure to only trusted IP sources, ideally within internal networks. 
  • Deploy firewalls or WAFs to filter inbound traffic.  
  • Network & Management Segmentation: 
  • Separate mail handling and appliance management interfaces. 
  • Use VLANs or isolated subnets for administrative traffic.  
  • Hardening Configuration: 
  • Disable all non-essential services. 
  • Enforce stronger authentication (SAML/LDAP). 
  • Rotate default credentials. 
  • Enforce SSL/TLS protection across all web management interfaces 

Monitoring and Detection 

Enable verbose logging on appliances.  

Monitor for:  

  • Unusual root-level shell activity. 
  • Reverse SSH connections (AquaTunnel/Chisel). 
  • Log deletion or anomalies (AquaPurge).
  • Maintain and regularly review logs to support incident investigations. 

 

Incident Response 

 

For Compromised Systems  

  • Rebuild affected appliances completely, externally removing malware persistence is currently the only reliable remediation.  
  • Execute full endpoint and network scan for lateral movement. 
  • Re-assess critical credentials and change them post-rebuild. 

 

Integrity360 customers should raise this with their account manager, in order to bring the Incident Response team for compromise assessment or forensic support.  

 

For Non-Compromised Systems 

  • Implement all recommended network restrictions immediately. 

 

Next Steps: 

  • Cisco is working on a security patch; apply it immediately upon release. 

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.   

 

Contact Us