CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Cisco Patches Vulnerability Exploited by Chinese Hackers

UAT-9686 exploited the bug to deploy the AquaShell backdoor on Cisco appliances with certain ports open to the internet. The post Cisco Patches Vulnerability Exploited by Chinese Hackers appeared first on SecurityWeek.

Cisco vulnerability exploited

Cisco on Thursday announced patches for a vulnerability in Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA) that has been exploited in attacks.

Tracked as CVE-2025-20393 (CVSS score of 10/10), the security defect was disclosed on December 17, one week after Cisco’s Talos researchers observed its in-the-wild exploitation as a zero-day.

“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time.

The company said the attacks targeted only a small set of appliances, and attributed the campaign to UAT-9686, a China-linked APT.

On Thursday, Cisco updated its advisory to provide information on the flaw, the affected products, and the available patches.

The flaw affects the Spam Quarantine feature of the AsyncOS software running on Secure Email Gateway and Cisco Secure Email and Web Manager, and exists due to insufficient validation of HTTP requests.

This allows unauthenticated, remote attackers to send crafted HTTP requests to a vulnerable appliance, resulting in arbitrary command execution on the underlying operating system, with root privileges.

The vulnerability was resolved in AsyncOS versions 15.0.5-016, 15.0.5-016, 15.5.4-012, and 16.0.4-016 for Email Security Gateway, and in AsyncOS versions 15.0.2-007, 15.5.4-007, and 16.0.4-010 for Email and Web Manager.

There are no workarounds for the bug. Users can update their software over the network, via the System Upgrade options available in the appliances’ web-based management interface.

“Cisco recommends upgrading the affected appliances to a fixed software release. The fix addresses the vulnerability used by threat actors and clears the persistence mechanisms that were identified in this attack campaign and installed on the appliances,” Cisco notes.

UAT-9686 exploited the Cisco zero-day since at least November 2025 to deploy the Python-based backdoor AquaShell, along with the reverse SSH tunnel AquaTunnel (aka ReverseSSH), the Chisel tunneling tool, and the log-clearing utility AquaPurge.

Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks

Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon

Related: Exploit for VMware Zero-Day Flaws Likely Built a Year Before Public Disclosure

Related: Hackers Exploit Zero-Day in Discontinued D-Link Devices

Latest News

CYBERNEWSMEDIAPublisher