Article Details
Scrape Timestamp (UTC): 2026-01-16 05:42:40.372
Source: https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html
Original Article Text
Click to Toggle View
Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways. Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. However, for the attack to work, three conditions must be met - Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge. The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that's capable of receiving encoded commands and executing them. The vulnerability has now been addressed in the following versions, in addition to removing the persistence mechanisms that were identified in this attack campaign and installed on the appliances - Cisco Email Security Gateway Secure Email and Web Manager Additionally, Cisco is also urging customers to follow hardening guidelines to prevent access from the unsecured networks, secure the appliances behind a firewall, monitor web log traffic for any unexpected traffic to/from appliances, disable HTTP for the main administrator portal, disable any network services that are not required, enforce a strong form of end-user authentication to the appliances (e.g., SAML or LDAP), and change the default administrator password to a more secure variant.
Daily Brief Summary
Cisco released patches for a critical zero-day vulnerability in its Secure Email Gateway, exploited by a China-linked APT group known as UAT-9686.
The flaw, CVE-2025-20393, allows remote command execution with root privileges due to improper HTTP request validation in the Spam Quarantine feature.
Exploitation requires specific conditions and has been used since November 2025 to deploy tools like ReverseSSH and a Python backdoor named AquaShell.
Cisco's updates not only patch the vulnerability but also remove persistence mechanisms used in the attack campaign, enhancing overall security.
Customers are advised to implement hardening measures, such as securing appliances behind firewalls, disabling unnecessary services, and enforcing strong authentication.
Monitoring web log traffic for unusual activity is crucial to detect potential exploitation attempts and safeguard network integrity.
This incident underscores the importance of timely patch management and robust security configurations to mitigate advanced persistent threats.