By Sergiu Gatlan
Publication Date: 2025-12-17 18:45:00
Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
This yet-to-be-patched zero-day (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations, when the Spam Quarantine feature is enabled and exposed on the Internet.
Cisco Talos, the company’s threat intelligence research team, believes a Chinese threat group tracked as UAT-9686 is behind attacks abusing this security flaw to execute arbitrary commands with root and deploy AquaShell persistent backdoors, AquaTunnel and Chisel reverse SSH tunnel malware implants, and a log-clearing tool named AquaPurge. Indicators of compromise are available in this GitHub repository.
AquaTunnel and other malicious tools used in these attacks have also been linked in the past with other Chinese state-backed hacking groups such as UNC5174…