The exploitation of CVE-2025-20393 in Cisco Secure Email products has intensified. The Chinese-nexus actor UAT-9686 is now utilizing a new tool, AquaPurge , specifically designed to scrub forensic traces from AsyncOS logs. This, combined with the AquaShell Python backdoor, allows for long-term unmonitored access to enterprise mail streams.
Business Impact
For your clients in Bahrain, this is a “blind spot” risk. Standard SIEM alerts may show the appliance is healthy even while data is being exfiltrated. Because the attacker can purge logs, retrospective forensic audits become nearly impossible without memory-based analysis. The only guaranteed remediation remains a full appliance rebuild.
Why It Happened
Attackers are exploiting a vulnerability in the ‘Spam Quarantine’ management interface. By gaining root-level shell access, they bypass the restricted administrative GUI, allowing them to manipulate the underlying filesystem and delete evidence of their presence.
Recommended Executive Action
CISA has mandated remediation by Dec 24. Since no patch exists, organizations must immediately move management interfaces behind a VPN and restrict them to trusted admin IPs. If Spam Quarantine was internet-facing, assume compromise and trigger a disaster recovery rebuild of the appliance firmware.
Hashtags: #Cisco #ZeroDay #AquaShell #AquaPurge #China #APT #UAT9686 #CISA #CyberSecurity #InfoSec