Cisco Zero-Day Siege: Chinese Group UAT-9686 Deploys ‘Aqua’ Malware via CVSS 10 Root Exploit
Ddos 
A critical zero-day vulnerability in Cisco’s secure email appliances is under active siege by a sophisticated Chinese hacking group, granting them total control over sensitive network gateways. The campaign, uncovered by Cisco Talos, leverages a flaw with a maximum CVSS score of 10, allowing attackers to bypass authentication and execute commands as root.
The vulnerability, tracked as CVE-2025-20393, targets the Cisco Secure Email Gateway (ESA) and Secure Email and Web Manager (SMA) running Cisco AsyncOS software. While the flaw requires specific non-standard configurations to exploit, the consequences for affected organizations are catastrophic.
The attack vector hinges on a specific misconfiguration: the Spam Quarantine feature. While disabled by default, if this feature is enabled and its port is exposed to the open internet, it becomes a direct entry point for the attackers.
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” the advisory states.
Once inside, the adversary doesn’t just run commands; they plant a persistent, custom-built backdoor designed to blend in with the appliance’s own web server.
Cisco Talos has attributed this campaign with “moderate confidence” to a Chinese-nexus threat actor tracked as UAT-9686. The group’s tradecraft shows distinct overlaps with notorious APTs like APT41 and UNC5174.
The group deploys a specialized suite of tools tailored for these appliances, dubbed the “Aqua” series:
- AquaShell: The crown jewel of the campaign. This lightweight Python backdoor is surgically embedded into the appliance’s existing web server files (/data/web/euq_webui/htdocs/index.py). It passively listens for specially crafted HTTP POST requests, decoding and executing commands without leaving a typical log footprint.
- AquaPurge: A “cleanup crew” script that scrubs system logs. It uses egrep to invert-search log files, effectively deleting any lines containing specific keywords related to the attacker’s activity while leaving the rest of the file intact.
- AquaTunnel: A compiled GoLang binary based on the open-source “ReverseSSH” tool. This creates a reverse connection back to the attacker, ensuring they can bypass firewalls and maintain access even if the initial vulnerability is patched.
The persistence mechanism used by UAT-9686 is so deeply embedded that standard remediation is insufficient. Cisco’s advice for confirmed compromises is stark: Rebuild.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance”.
Administrators are urged to immediately audit their configurations. If the Spam Quarantine feature is enabled (Network > IP Interfaces), ensure it is firewall-protected and strictly isolated from the public internet. With a CVSS 10 vulnerability in play, the margin for error is zero.
Donate