𝗖𝗶𝘀𝗰𝗼 𝗔𝘀𝘆𝗻𝗰𝗢𝗦 𝟬-𝗗𝗮𝘆 𝗨𝗻𝗱𝗲𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻

An active zero-day exploit in Cisco AsyncOS is being used to target Secure Email Gateway and Secure Email & Web Manager appliances.

The campaign, active since late November 2025 and disclosed on December 10, lets attackers run system-level commands and install a persistent Python backdoor called AquaShell.

Cisco Talos links the activity to UAT-9686, a China-nexus APT with overlaps to groups like APT41 and UNC5174. AquaShell uses stealthy persistence methods commonly seen in advanced Chinese threat groups.

The attackers compromise appliances with non-standard configurations. They insert AquaShell into index.py, where it quietly waits for unauthenticated POST requests, decodes the payload, and executes shell commands.

After gaining access, the threat actors deploy extra tools:
• AquaTunnel – a Go-based reverse SSH tunnel
• Chisel – for tunneling TCP/UDP traffic
• AquaPurge – a log-cleaning script to hide activity

The Secure Email & Web Manager, which oversees email filtering and policies, makes this a high-impact target.

Cisco urges customers to check the advisory for IOCs and apply remediation immediately.