Cisco Secure Email Appliance RCE Exploited in Attacks

Cisco has confirmed active exploitation of a remote code execution (RCE) vulnerability impacting its Secure Email Gateway and Secure Email and Web Manager appliances.

The company has already released a patch for the vulnerability that is being exploited.

The attack “allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” said Cisco in its advisory.

How the Cisco RCE Works

Tracked as CVE-2025-20393, this issue stems from insufficient input validation in the Spam Quarantine feature of Cisco AsyncOS Software. 

In practical terms, the appliance fails to properly sanitize attacker-controlled HTTP input, allowing crafted requests to be processed in a way that results in remote command execution. 

Cisco assigned it a CVSS score of 10.0, reflecting that the vulnerability is remotely reachable over the network, requires no authentication, and can lead to complete compromise of the affected system.

Attackers exploit the flaw by sending crafted HTTP requests to the Spam Quarantine functionality, which can result in unauthenticated command execution with root privileges. 

Root-level access makes this vulnerability especially dangerous, giving attackers full control of the appliance and a foothold for persistence and deeper network access. 

Cisco said the risk is highest when Spam Quarantine is enabled and internet-exposed on port 6025, a discouraged but still common configuration.

The company became aware of active exploitation on Dec. 10, 2025, with evidence suggesting attacks may have begun as early as November 2025. 

Cisco researchers attributed the campaign to UAT-9686 (UNC-9686), a China-nexus threat actor, with moderate confidence based on tooling overlaps with groups such as APT41 and UNC5174. 

Post-exploitation activity appears consistent with espionage-driven objectives. 

Attackers deploy a Python-based backdoor called AquaShell to maintain persistent access. 

They also use tunneling tools such as AquaTunnel and Chisel for internal pivoting. To reduce forensic visibility and slow incident response, they deploy a log wiping tool dubbed AquaPurge. 

The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Dec. 17, 2025.

Reducing the Attack Surface Area

With active exploitation confirmed, organizations running Cisco Secure Email Gateway or Secure Email and Web Manager should prioritize containment and patching immediately. 

Because these appliances sit in high-trust positions, even a single compromised node can become a launch point for persistence, log tampering, and deeper network access. 

• Upgrade Cisco Secure Email Gateway and Secure Email and Web Manager to fixed releases immediately.
• Remove internet access to Spam Quarantine and restrict management access to VPN/jump hosts with strict IP allowlisting.
• Segment mail and management interfaces and disable unnecessary services (e.g., HTTP/FTP) to reduce attack surface.
• Enforce strong authentication and least-privilege administration using SAML/LDAP and tightly controlled admin roles.
• Forward logs externally and monitor for compromise indicators, including persistence mechanisms, tunneling activity, and log tampering.
• Apply egress filtering and rehearse incident response playbooks for appliance compromise, including isolation, rebuild, and credential rotation.

Collectively, these steps help reduce exposure, detect compromise earlier, and limit blast radius if an email gateway is targeted. 

Email Gateways Are High-Value Targets

Cisco’s confirmation of active exploitation is a clear reminder that internet-exposed security appliances are high-value targets and critical points of failure. 

Organizations should treat email gateway compromise as a front-door threat that can quickly lead to persistence, reduced visibility, and deeper network access if not contained.

Patching should come first, but teams should also reduce exposure by removing unnecessary internet access, tightening admin access, and validating logs through external monitoring.

That same need to reduce implicit trust and limit blast radius is why many organizations are adopting zero-trust solutions.