Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways - The Hacker News

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways Ravie LakshmananJan 16, 2026Vulnerability / Web Security Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. However, for the attack to work, three conditions must be met - The appliance is running a vulnerable release of Cisco AsyncOS Software The appliance is configured with the Spam Quarantine feature The Spam Quarantine feature is exposed to and reachable from the internet Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge. The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that's capable of receiving encoded commands and executing them. The vulnerability has now been addressed in the following versions, in addition to removing the persistence mechanisms that were identified in this attack campaign and installed on the appliances - Cisco Email Security Gateway Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016) Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016) Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012) Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016) Secure Email and Web Manager Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007) Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007) Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010) Additionally, Cisco is also urging customers to follow hardening guidelines to prevent access from the unsecured networks, secure the appliances behind a firewall, monitor web log traffic for any unexpected traffic to/from appliances, disable HTTP for the main administrator portal, disable any network services that are not required, enforce a strong form of end-user authentication to the appliances (e.g., SAML or LDAP), and change the default administrator password to a more secure variant. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, cisco, email security, network security, remote code execution, Secure Email Gateway, Vulnerability, web security, zero-day Trending News 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Identity Controls Checklist: Find Missing Protections in Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths