Top Highlights
-
Critical Vulnerability: Cisco’s email security appliances are being exploited via a zero-day vulnerability (CVE-2025-20393) linked to the Chinese APT group UAT-9686, rated critical with a severity of 10/10, and it remains unpatched.
-
Exploit and Malware Deployment: The UAT-9686 group has been using this vulnerability since late November to execute commands and install various malware, including a Python backdoor named AquaShell.
-
Brute Force Attacks: Concurrently, a large-scale automated attack targeted both Palo Alto and Cisco VPNs, resulting in over 1.7 million authentication events, primarily against U.S. and Mexican organizations.
-
Recommendations for Organizations: Security experts advise regular audits of edge devices, use of strong passwords, and MFA to mitigate these attacks, though operational complexities often hinder implementation.
Critical Cisco Zero-Day Exploited by China
Cisco security products face significant challenges this month due to two distinct threat campaigns. First, Cisco reported that a new China-linked advanced persistent threat (APT) group, known as UAT-9686, exploits a zero-day vulnerability in Cisco email security appliances. This vulnerability, tracked as CVE-2025-20393, received a severe rating of 10 out of 10 on the Common Vulnerability Scoring System (CVSS). Currently, it remains unpatched.
The affected appliances run on AsyncOS, Cisco’s operating system designed to combat spam and malware. When configured with the Spam Quarantine feature, a connection to the Internet creates vulnerabilities. Attackers can exploit this setup to gain root privileges and execute commands, potentially impacting connected systems. Since November, security researchers identified that UAT-9686 has been dropping various malware, including a lightweight backdoor known as AquaShell. Cisco has advised customers on how to disable the Spam Quarantine feature temporarily until a permanent fix is available.
Wave of Attacks Against Cisco, Palo Alto VPNs
Shortly after the discovery of UAT-9686, another attack wave emerged. This time, more than 10,000 unique IP addresses targeted Palo Alto GlobalProtect VPNs with brute-force attacks. Within just 16 hours, attackers generated over 1.7 million authentication attempts, primarily aimed at organizations in the United States, Mexico, and Pakistan.
Following this initial surge, the same campaign shifted focus to Cisco VPNs. GreyNoise, a cybersecurity research firm, noted a remarkable sixfold increase in attacks against Cisco endpoints in one day. These attacks targeted systems using weak or compromised credentials, exploiting standard SSL VPN login processes. Experts indicate that such rapid campaigns are often used for quick reconnaissance of vulnerable systems. They point out that organizations must conduct thorough audits of their security measures and enforce strong password protocols and multifactor authentication (MFA) to protect against future threats. However, operational complexities often hinder the execution of these essential security measures.
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Discover archived knowledge and digital history on the Internet Archive.
CyberRisk-V1
