A critical security flaw in Cisco's Secure Email Gateways has been actively exploited, leaving organizations vulnerable to a sophisticated cyberattack. This vulnerability, a zero-day exploit, was discovered and patched by Cisco after being actively used by a China-linked advanced persistent threat (APT) group. Let's dive deeper into what happened and how to stay safe.
On January 16, 2026, Cisco released security updates to address a severe vulnerability impacting its AsyncOS Software, which is used in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This update came nearly a month after the company revealed that a China-nexus APT, known as UAT-9686, was actively exploiting this flaw.
The vulnerability, identified as CVE-2025-20393, carries a maximum severity rating with a CVSS score of 10.0. It's a remote command execution (RCE) flaw, meaning attackers could remotely execute commands on affected systems. This vulnerability stems from inadequate validation of HTTP requests within the Spam Quarantine feature. If exploited, attackers could gain root privileges, giving them complete control over the underlying operating system of the email gateway.
But here's where it gets controversial... For the attack to be successful, three specific conditions must align:
- The appliance must be running a vulnerable version of Cisco AsyncOS Software.
- The appliance must have the Spam Quarantine feature enabled.
- The Spam Quarantine feature must be accessible from the internet.
Last month, Cisco reported that UAT-9686 had been exploiting this vulnerability since late November 2025. The attackers deployed tunneling tools like ReverseSSH (also known as AquaTunnel) and Chisel, along with a log cleaning utility called AquaPurge. They also used a lightweight Python backdoor, dubbed AquaShell, to receive and execute encoded commands.
The good news? Cisco has addressed the vulnerability in the following software versions, and has also removed the persistence mechanisms used in the attack:
Cisco Email Security Gateway:
- Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016)
- Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016)
- Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012)
- Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016)
Secure Email and Web Manager:
- Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
- Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007)
- Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010)
What can you do to protect yourself? Cisco recommends the following hardening guidelines:
- Restrict access from unsecured networks.
- Secure appliances behind a firewall.
- Monitor web log traffic for unusual activity.
- Disable HTTP for the main administrator portal.
- Disable unnecessary network services.
- Enforce strong end-user authentication (e.g., SAML or LDAP).
- Change the default administrator password to a strong, unique one.
And this is the part most people miss... The speed at which this zero-day was exploited highlights the importance of staying vigilant and promptly applying security patches. Could this be a sign of more sophisticated attacks to come? What are your thoughts on the impact of this vulnerability and the measures Cisco has taken? Share your opinions in the comments below!
