An active campaign exploiting a zero-day vulnerability in Cisco AsyncOS Software, targeting Secure Email Gateway (formerly Email Security Appliance, ESA) and Secure Email and Web Manager (formerly Content Security Management Appliance, SMA).
The attack, spotted since late November 2025 and publicly disclosed on December 10, allows attackers to run system-level commands and plant a persistent Python backdoor dubbed “AquaShell.”
Talos attributes the operation with moderate confidence to UAT-9686, a Chinese-nexus advanced persistent threat (APT) actor. Overlaps in tactics, techniques, procedures (TTPs), tooling, and infrastructure link UAT-9686 to groups like APT41 and UNC5174.
Notably, the custom web implant AquaShell mirrors techniques adopted by sophisticated Chinese APTs for stealthy persistence.
The intrusion vector hits appliances with non-standard configurations, as detailed in Cisco’s advisory. Attackers embed AquaShell into “/data/web/euq_webui/htdocs/index.py” via an encoded blob. This lightweight backdoor passively monitors for unauthenticated HTTP POST requests, decodes payloads with a custom algorithm plus Base64, and executes shell commands.
Compromise escalates with supplementary tools: AquaTunnel, a GoLang ELF binary forked from open-source ReverseSSH, establishes reverse SSH tunnels for remote access past firewalls; Chisel, an open-source tunneler, proxies TCP/UDP traffic over HTTP for internal pivoting; and AquaPurge, which scrubs logs by filtering out keyword-laden lines via egrep.
The Secure Email and Web Manager centralizes oversight of the ESA and Web Security Appliance (WSA), including quarantine, policies, and reporting, making it a prime target for email gateway disruptions.
Cisco urges customers to review the advisory for indicators of compromise (IOCs) and remediation.
| Tool/Component | Type | Value | Description |
|---|---|---|---|
| AquaTunnel | SHA256 Hash | 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef | GoLang ELF reverse SSH tunnel for remote access. |
| AquaPurge | SHA256 Hash | 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca | Log-clearing utility using egrep to remove keywords. |
| Chisel | SHA256 Hash | 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc | Open-source tunneling tool for TCP/UDP proxying over HTTP. |
| Attacker IP | IP Address | 172.233.67[.]176 | Command-and-control infrastructure. |
| Attacker IP | IP Address | 172.237.29[.]147 | Command-and-control infrastructure. |
| Attacker IP | IP Address | 38.54.56[.]95 | Command-and-control infrastructure. |
This campaign underscores rising APT focus on email security edges amid supply chain risks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
