Cisco Zero-Day Vulnerability in Secure Email Gateways Exploited in Chinese Hacking Campaign
Published
Key Takeaways
- Critical vulnerability: A Chinese-linked threat actor is actively exploiting an unpatched flaw in Cisco AsyncOS that enables root-level command execution.
- Targeted products: The campaign targets Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances with the Spam Quarantine feature enabled.
- No patch available: Currently, there is no patch; Cisco recommends wiping and rebuilding affected appliances to eradicate the threat.
Cisco has confirmed that hackers are targeting its customers by exploiting a critical zero-day vulnerability in the Cisco AsyncOS software used in some of the company's most critical security products. Attackers are leveraging this flaw to gain unauthorized access and install persistent backdoors on affected devices, effectively allowing a complete takeover of the system.
Details of the Secure Email Gateway Exploit
The exploit, first noticed on December 10, specifically targets physical and virtual Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances. The vulnerability is exploitable only when the Spam Quarantine feature is:
- Enabled on the appliance.
- Exposed to and reachable from the internet.
The company has confirmed that Cisco Secure Email Cloud devices are not affected and is not aware of any exploitation activity targeting Cisco Secure Web.
While this feature is not enabled by default, the potential impact for organizations that utilize it is severe. Security researchers warn that because these products are widely used by large enterprises, the Cisco zero-day vulnerability poses a significant risk to global infrastructure.
Chinese Hacking Campaign
The campaign, identified by Cisco Talos in a recent analysis, has been attributed with moderate confidence to an advanced persistent threat (APT) tracked as UAT-9686, a Chinese-nexus actor whose tool use and infrastructure are consistent with other Chinese threat groups, such as APT41 and UNC5174.
“As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell, accompanied by additional tooling meant for reverse tunneling and purging logs,” said the Talos Intelligence report.
Mitigation and Response to Cybersecurity Threats
As of the disclosure, no patches are available to remediate this vulnerability. Cisco's current advisory guidance is:
- Restrict access to the appliance.
- Implement robust access control mechanisms to ensure that ports are not exposed to unsecured networks.
- Wipe and rebuild the software on affected appliances to remove the threat actor's persistence mechanisms.
The feature is enabled if the checkbox next to Spam Quarantine is ticked. To determine whether Spam Quarantine is enabled on a Cisco Secure Email Gateway appliance or a Cisco Secure Email and Web Manager appliance, connect to the web management interface and navigate to Network/Management Appliance > IP Interfaces > [Select the Interface on which Spam Quarantine is configured].
The company is actively investigating the extent of the compromise and developing a permanent remediation, though the timeline for a patch remains unspecified.
In late November, ASUS fixed a high-severity MyASUS vulnerability that allowed privilege escalation to SYSTEM-level access, while an APT exploited Cisco and Citrix zero-days, CVE-2025-20337 and CVE-2025-5777, earlier that month.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular