Cisco Patches Email Gateway Zero-Day Exploited by Chinese APT

Cisco released patches today for CVE-2025-20393, the critical zero-day vulnerability in Secure Email Gateway appliances that Chinese threat actors have been exploiting since late November. Organizations running affected AsyncOS versions should update immediately—but those already compromised face a harder path to recovery.

The vulnerability carries a maximum CVSS 10.0 severity score. Successful exploitation grants attackers root access to the underlying operating system, and the threat group responsible has been deploying persistent backdoors that survive reboots and standard remediation attempts.

The Patch

Cisco's fixed releases include AsyncOS 15.0.1-273 for Secure Email Gateway and corresponding updates for Secure Email and Web Manager. Organizations should verify they're running patched versions and update any lagging appliances immediately.

We covered this vulnerability when Cisco disclosed it in December. At that time, no patch was available, and the company advised organizations to restrict internet access to the Spam Quarantine feature—the attack vector enabling exploitation.

The weeks between disclosure and patch gave attackers additional time to compromise vulnerable appliances. Organizations that didn't implement mitigations during that window should assume they were targeted.

Persistent Compromise Problem

Patching alone isn't sufficient for appliances that were compromised before the fix. Cisco Talos documented the threat actor—tracked as UAT-9686—deploying multiple persistence mechanisms including AquaShell, a Python-based backdoor embedded in AsyncOS web server files.

AquaShell executes encoded shell commands sent via unauthenticated HTTP POST requests. It survives normal reboots and isn't removed by standard software updates. The attackers also deployed tunneling tools (ReverseSSH, Chisel) and a log cleaning utility called AquaPurge to cover their tracks.

From Cisco's advisory: "In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors' persistence mechanism from the appliance."

Rebuilding means wiping the appliance and reinstalling from clean media—a significant operational impact for email security infrastructure. Organizations must plan for downtime and ensure they have clean backups of configuration data that weren't modified by attackers.

Checking for Compromise

Signs of compromise may include:

• Unexpected files in web server directories
• Modified system binaries or configuration files
• Unusual outbound connections (particularly SSH tunnels)
• Gaps in logs or evidence of log manipulation
• New scheduled tasks or startup scripts

Cisco Talos published indicators of compromise in their December analysis. Security teams should review those IOCs against their appliance logs and file systems before assuming patching is sufficient.

The attackers demonstrated awareness of forensic techniques. AquaPurge specifically targets log files to remove evidence. Absence of obvious indicators doesn't guarantee clean systems—it may mean the attackers were thorough.

Attribution

Cisco Talos attributes the campaign to UAT-9686, assessed with moderate confidence to be a China-affiliated threat actor. The group's tooling overlaps with malware previously associated with APT41 and UNC5174, both well-documented Chinese state-sponsored groups.

The targeting focus—email security appliances—aligns with espionage objectives. Email gateways see all inbound and outbound messages for an organization. Compromising them provides visibility into communications without touching individual endpoints or mail servers.

Recommendations

1. Patch immediately: Apply AsyncOS 15.0.1-273 or later to all Secure Email Gateway and Secure Email and Web Manager appliances

2. Assess for compromise: Review appliances for IOCs published by Cisco Talos, particularly signs of AquaShell, AquaPurge, and tunneling tools

3. Plan rebuilds: If compromise indicators exist—or if appliances were internet-exposed during the vulnerable period—schedule full rebuilds from clean images

4. Restrict Spam Quarantine: Ensure the feature is no longer exposed to the public internet, even after patching

5. Monitor post-patch: Watch for unusual behavior that might indicate attackers attempting to regain access

The extended exploitation window means this vulnerability likely affected more organizations than typical zero-days. Chinese state-sponsored groups are known for patient, persistent campaigns. Even after patching and rebuilding, maintain heightened monitoring for signs of renewed access attempts.