Cisco AsyncOS Zero-Day Actively Exploited to Execute System-Level Commands

Cisco Talos has discovered an ongoing campaign exploiting a critical zero-day vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

The flaw allows attackers to execute system-level commands remotely and deploy sophisticated backdoors on compromised systems, posing a significant threat to enterprise email security infrastructure.

The attack campaign is attributed to UAT-9686, assessed with moderate confidence to be a Chinese-nexus advanced persistent threat group.

Cisco identified the malicious activity on December 10, 2025, though evidence suggests attacks commenced in late November 2025, potentially affecting organizations for weeks without detection.

The threat actors employ a multi-stage attack framework that includes custom-developed tools for persistence and lateral movement.

AquaShell, a lightweight Python backdoor, represents the core persistence mechanism. This malware embeds itself into…