By Guru Baran
Publication Date: 2025-12-18 03:08:00
An active campaign exploiting a zero-day vulnerability in Cisco AsyncOS Software, targeting Secure Email Gateway (formerly Email Security Appliance, ESA) and Secure Email and Web Manager (formerly Content Security Management Appliance, SMA).
The attack, spotted since late November 2025 and publicly disclosed on December 10, allows attackers to run system-level commands and plant a persistent Python backdoor dubbed “AquaShell.”
Talos attributes the operation with moderate confidence to UAT-9686, a Chinese-nexus advanced persistent threat (APT) actor. Overlaps in tactics, techniques, procedures (TTPs), tooling, and infrastructure link UAT-9686 to groups like APT41 and UNC5174.
Notably, the custom web implant AquaShell mirrors techniques adopted by sophisticated Chinese APTs for stealthy persistence.
The intrusion vector hits appliances with non-standard configurations, as detailed in Cisco’s advisory. Attackers embed AquaShell into…