By John E. Dunn
Publication Date: 2026-01-16 23:06:00
“Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as ‘AquaShell’ accompanied by additional tooling meant for reverse tunneling and purging logs,” Cisco Talos said.
This week, more than a month after the first public warning, and seven weeks after the first exploits were detected, Cisco issued an AsyncOS patch fixing the vulnerability.
Does the delay matter?
The exploit only affects a subset of customers running a Secure Email Gateway or Secure Email and Web Manager with the Spam Quarantine service exposed on a public port.
According to Cisco, this feature is not enabled by default, and, it said, “deployment guides for these products do not require this feature to be directly exposed to the internet.” This makes it sound as if customers enabling the feature would be the…
