The situation regarding the unpatched Cisco zero-day (CVE-2025-20393) has escalated. Cisco Talos reports that the Chinese-nexus group UAT-9686 is now actively deploying AquaShell , a custom Python-based backdoor. This malware provides persistent root access to Cisco Secure Email Gateways, allowing attackers to pivot into internal corporate networks using traffic proxying tools like Chisel.
Business Impact
Because this attack compromises the email gateway itself, it effectively neutralizes the primary filter for all incoming threats. Attackers can intercept, modify, or leak executive communications and sensitive internal attachments. Rebuilding the appliance remains the only way to ensure eradication until a patch is released.
Why It Happened
The exploit targets the ‘Spam Quarantine’ feature. While not a default setting, organizations that exposed this management interface to the internet for remote accessibility created an unintended entry point for state-level espionage.
Recommended Executive Action
Audit all Cisco Secure Email and Web Manager appliances. If the ‘Spam Quarantine’ feature is internet-facing, assume compromise. Follow Cisco’s GitHub repository for updated Indicators of Compromise (IoCs) and restrict appliance management to trusted internal IPs only.
Hashtags: #Cisco #ZeroDay #AquaShell #China #APT #UAT9686 #CyberSecurity #PatchAlert #InfoSec