BLUF

An unpatched critical flaw in Cisco Email Security Appliances is being actively exploited to gain root-level access and establish persistence.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations with affected Cisco Email Security Appliances, a confirmed or suspected compromise linked to this activity is likely to result in:

• Low-end total cost: $1M – $1.5M
  (Rapid detection, limited exposure, no regulatory escalation)

• Typical expected range: $2M – $3.5M

• Upper-bound realistic scenarios: $4.5M – $6M
  (Extended dwell time, compliance impact, insurance friction)

Key cost driver:

This is not a commodity malware cleanup. Root-level access to email infrastructure shifts incidents from “IT issue” to enterprise risk event, with costs driven more by assurance, rebuild, and trust restoration than by technical remediation alone.

Targeted Sectors

Undisclosed, but targets are limited to specific appliances with certain ports open to the internet.

Countries

·         Global

Date of first reported activity

·         December 10, 2025.

Date of last reported activity update

·         December 18, 2025

APT Names

·         UAT-9686 (Cisco tracking name)

Associated Criminal Organization Names

·         Not applicable

IOCs

Evidence of a persistence mechanism being planted by the actors. Specific IPs/domains not publicly listed in snippets.

Tools Used in Campaign: Undisclosed.

CVE-2025-20393

CVSS v3.1

·         (10.0) 1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nessus ID

·         There is no Tenable plugin ID at this time

Is this on the KEV list?

·         Yes

CISA patch by date

·         December 24, 2025

Patching/Mitigation Data

·         There is no patch for this CVE-2025-20393 at this time

Cisco is working on a fix

Mitigation

·         Organizations should restrict internet exposure of affected appliances

·         Block internet access to vulnerable ports

·         Restrict access to trusted hosts

Cisco Recommendations

·         If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible. For additional information, see Useful Resources at the end of this section.

·         If restoring the appliance is not possible, Cisco recommends contacting TAC to check whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.

·         In addition, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks.

URL to patch information

·         There is no patch this is the CISCO advisory
hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Malware Names

·         AquaShell

·         AquaTunnel

·         Chisel

·         AquaPurge

Malware Samples

AquaShell

sha256

47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

URL to sample

·         hxxps://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

AquaTunnel

sha256

72f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084be

URL to sample

·         hxxps://www.virustotal.com/gui/file/72f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084be

Chisel

sha256

·         e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

URL to sample

·         hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

AquaPurge

sha256

a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

URL to Sample

·         hxxps://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

TTPs

TA0001 - Initial Access:

·         T1190 - Exploit Public-Facing Application: Attackers exploit the unpatched CVE-2025-20393 vulnerability via the internet-exposed Spam Quarantine feature interface to gain initial access.

TA0004 - Privilege Escalation & TA0003 - Persistence

·         T1059.004 - Command and Scripting Interpreter: Python: Attackers deploy custom backdoors, such as the Python-based AquaShell, which listens for unauthenticated HTTP POST requests to execute commands with root privileges.

·         T1543.003 - Create or Modify System Process: New Service: The deployed backdoors are designed to maintain long-term persistence on the compromised systems, surviving reboots and administrative actions

TA0011 - Command and Control:

·         T1071.001 - Application Layer Protocol: Web Protocols: The AquaShell backdoor uses HTTP POST requests for communication.

·         T1090.003 - Proxy: Reverse SSH Tunneling: Attackers use tools like AquaTunnel (reverse SSH) and Chisel (HTTP-based tunneling) to establish connections to their controlled infrastructure and pivot into the internal network

TA0007 - Discovery & TA0006 - Credential Access

·         T1087 - Account Discovery: The attackers' access allows for potential full system takeover, which includes unauthorized access to email and web management systems, and potential data theft or manipulation

TA0005 - Defense Evasion:

·         T1070.004 - Indicator Removal on Host: File Deletion: A log-cleaning utility named AquaPurge is used to selectively remove log entries to complicate forensic analysis and detection efforts.

TA0010 - Exfiltration

Suggested Rules / potential hunts

Suricata

Network Detection

Exploitation Attempt Detection

Monitor for unusual POST requests to the Spam Quarantine management ports (typically 443 or 8443) containing shell command meta-characters (e.g., ;, &, |, `) or directory traversal patterns.

Post-Exploitation Tunneling

·         Detect Chisel or AquaTunnel (ReverseSSH) traffic patterns. Look for SSH-like handshakes on non-standard ports or HTTP-encapsulated tunnels.

alert tcp any any -> $Cisco_Email_Gateway any (msg:"ET EXPLOIT Cisco AsyncOS CVE-2025-20393 Potential RCE Attempt"; content:"POST"; http_method; content:"/quarantine/"; http_uri; pcre:"/(\||;|&||$)/U"; sid:1000001; rev:1;)`

SentinelOne

Process Hunting

·         Search for unauthorized processes running with root privileges, particularly those related to web services spawning shells (e.g., sh, bash, python).

Query: ProcessName In ( "chisel", "aquatunnel", "aquapurge" ) OR CommandLine Contains "reverse" AND ProcessParentName Contains "httpd"

File Persistence

·         Look for the creation of persistence mechanisms or log-purging utilities like AquaPurge.

Query: IndicatorID = "145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca" OR "2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef"

Splunk

·         Identify Root Command Execution

Search for log entries indicating root-level command execution from unusual sources.

index=cisco_logs sourcetype="cisco:asa" (cmd="root" OR cmd="sudo") | stats count by user, src_ip, cmd

Log Integrity Monitoring

·         Detect gaps in logs or the execution of log-clearing commands which may indicate the use of AquaPurge.

index=cisco_logs | transaction host maxpause=1h | where duration > 3600 (Detects unexpected silence/log gaps).

·         External Access to Quarantine

Audit all external IP addresses accessing the Spam Quarantine portal.

index=cisco_logs (dest_port=443 OR dest_port=8443) url="*/quarantine/*" | iplocation src_ip | where Country != "Authorized_Country"

Delivery Method

·         Exploitation of the unpatched CVE in internet-exposed appliances.

Email Samples

·         Not applicable; the attack targets the appliance management interface

References

NVD

hxxps://nvd.nist.gov/vuln/detail/CVE-2025-20393

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

hxxps://thehackernews.com/2025/12/cisco-warns-of-active-attacks

SEC CloudApps Cisco

hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

VirusTotal

·         hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

·         hxxps://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

·         hxxps://www.virustotal.com/gui/file/72f1ba6309c98cd52ffc99dd15c45698dfca2d6ce1ef0bf262433b5dfff084be

·         hxxps://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91