Cisco has several important security updates to announce. These updates address an actively exploited vulnerability in its AsyncOS Software, impacting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This flaw, dubbed CVE-2025-20393, has a critical severity rating. With a CVSS score of 10.0, it leaves all vulnerable systems open to serious attack.
The vulnerability is due to a lack of proper validation of HTTP requests in the Spam Quarantine feature. Industry leader Cisco recently reported that a China-linked advanced persistent threat (APT) group, codenamed UAT-9686, was using this vulnerability as a zero-day threat. Exploitation occurred nearly a month before security updates became available. This delay is a very troubling development for all organizations relying upon Cisco’s email security products.
Details of the Exploit
Cisco’s internal investigation found that by late November 2025, UAT-9686 was already actively exploiting CVE-2025-20393. The main goal of the attackers was to install a new lightweight Python backdoor named AquaShell. This backdoor has the capability to receive and decode commands encoded in alphanumeric text. It runs them on vulnerable machines, providing access to sensitive information and functionalities.
The attack involved AquaShell & other tunneling tools. These tools—such as ReverseSSH, which is also known as AquaTunnel, and Chisel—were in frequent use during active deployments. Together, these tools allow for even deeper exploitation and more effective communication with advanced persistent threat (APTs) infected devices. The attackers attempted to hide their tracks using a log cleaning utility known as AquaPurge. This tool allowed them to obfuscate their activity and prevent detection by system admins.
Conditions for Exploitation
For this exploitation to be successful it requires certain conditions to be met. To be vulnerable, the Cisco appliance must be running an affected release of AsyncOS Software. Furthermore, it has to be set up using our Spam Quarantine feature. This feature has to be published to the internet, opening it up for nefarious attacks. Inflexible organizations that have not upgraded their systems are at great risk. This vulnerability allows attackers to run completely arbitrary commands remotely.
Cisco encourages all customers to immediately apply the necessary security updates. This action represents big progress in reducing the danger posed by this dangerous defect. It’s particularly important, says Manor, to check how systems are set up. Doing so keeps extraneous features safe and unexposed to the public internet, guarding against accidental data leaks.