Almost a month after the company revealed that a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 had exploited a maximum-severity security flaw affecting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, Cisco released security updates on Thursday This article explores vulnerable version cisco. . The vulnerability, identified as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw that results from the Spam Quarantine feature's inadequate validation of HTTP requests.

An attacker may be able to run arbitrary commands with root privileges on the underlying operating system of an impacted appliance if the vulnerability is successfully exploited.

However, the appliance must run a vulnerable version of Cisco AsyncOS software in order for the attack to be successful. The Spam Quarantine feature is set up on the appliance. The internet can access and utilize the Spam Quarantine feature.

The networking equipment major disclosed last month that it discovered evidence of UAT-9686 using the vulnerability as early as late November 2025 to drop log cleaning software called AquaPurge and tunneling tools like ReverseSSH (also known as AquaTunnel) and Chisel. The use of a lightweight Python backdoor known as AquaShell, which can receive and execute encoded commands, is another characteristic of the attacks.

In addition to eliminating the persistence mechanisms found in this attack campaign and installed on the appliances, the vulnerability has now been fixed in the following versions: Cisco Email Security Gateway Cisco AsyncOS Software Release 14.2 and earlier (fixed in 15.0.5-016). Release 15.0 of the Cisco AsyncOS software (fixed in 15.0.5-016) Release 15.5 of the Cisco AsyncOS software (fixed in 15.5.4-012) Release 16.0 of the Cisco AsyncOS software (fixed in 16.0.4-016) Safe Web Manager and Email Releases 15.0 and earlier of the Cisco AsyncOS software (fixed in 15.0.2-007) Release 15.5 of the Cisco AsyncOS software (fixed in 15.5.4-007) Release 16.0 of the Cisco AsyncOS software (fixed in 16.0.4-010) Cisco is also advising clients to monitor web logs, secure appliances behind a firewall, and adhere to hardening guidelines to stop access from unprotected networks.

traffic for any unexpected traffic to or from appliances, turn off HTTP for the main administrator portal, turn off any unnecessary network services, enforce a robust end-user authentication method (like SAML or LDAP) for the appliances, and replace the default administrator password with a more secure one.