UAT-9686 Cisco AsyncOS exploitation and persistence campaign
Campaign
Summary
Hide ▲
Show ▼
The UAT-9686 campaign is actively exploiting CVE-2025-20393 on Cisco AsyncOS email appliances, giving attackers root command execution and a foothold for persistence. The activity targets Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances exposed through Spam Quarantine configurations on the Internet. Cisco first spotted the attacks on December 10 and says the operation has been active since at least late November 2025.
Cases
Related Happenings
Cisco Secure Firewall Management Center (FMC) authentication bypass and RCE flaws (multiple vulnerabilities)
Vulnerability
First: 04.03.2026 21:12
Last: 04.03.2026 21:12
Sources 1
About this happening:
**Cisco Secure Firewall Management Center (FMC)** has two **maximum-severity** flaws, **CVE-2026-20079** and **CVE-2026-20131**, that can let **unauthenticated attackers** take ov...
Cisco Secure Firewall Management Center (FMC) authentication bypass and RCE flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **Cisco Secure Firewall Management Center (FMC)** has two **maximum-severity** flaws, **CVE-2026-20079** and **CVE-2026-20131**, that can let **unauthenticated attackers** take ov...
Latest development: 20.03.2026 17:09
CISA ordered Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22 after Cisco and Amazon threat intelligence reported active exploitation; Cisco updated its bulletin on March 18 to warn that the vulnerability in the web-based management interface could let an unauthenticated, remote attacker execute arbitrary Java code as root, and CISA added the CVE to its KEV catalog as known to be used in ransomware campaigns.
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
**UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-8837 campaign targeting North American critical infrastructure for initial access
Campaign
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
About this happening:
**UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
UAT-8837 campaign targeting North American critical infrastructure for initial access
CampaignAbout this happening: **UAT-8837** is a **China-nexus** campaign targeting **North American critical infrastructure** for **initial access**, with activity reported since **at least 2025**. The actor g...
Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)
Vulnerability
First: 16.01.2026 07:38
Last: 16.01.2026 07:38
Sources 1
How related:
Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
About this happening:
**CVE-2025-20393** is a **maximum-severity** flaw in **Cisco AsyncOS Software** that affects **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances w...
Cisco AsyncOS Spam Quarantine RCE (CVE-2025-20393)
VulnerabilityHow related: Cisco warned customers today of an unpatched, maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances.
About this happening: **CVE-2025-20393** is a **maximum-severity** flaw in **Cisco AsyncOS Software** that affects **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager** appliances w...
Cisco AsyncOS security update for CVE-2025-20393
Security Patch Release
First: 16.01.2026 07:38
Last: 16.01.2026 07:38
Sources 1
About this happening:
Cisco released **security updates** for **CVE-2025-20393** in **Cisco AsyncOS Software** for **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager**, closing a *...
Cisco AsyncOS security update for CVE-2025-20393
Security Patch ReleaseAbout this happening: Cisco released **security updates** for **CVE-2025-20393** in **Cisco AsyncOS Software** for **Cisco Secure Email Gateway** and **Cisco Secure Email and Web Manager**, closing a *...
Timeline
-
17.12.2025 20:45 2 articles · 5mo ago
Cisco AsyncOS zero-day exploitation warning
Initial DisclosureCisco warns that CVE-2025-20393, an unpatched maximum-severity Cisco AsyncOS zero-day, is being actively exploited against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances with non-standard configurations when Spam Quarantine is enabled and exposed on the Internet; Cisco Talos attributes the activity to UAT-9686, says the actor deploys AquaShell, AquaTunnel, Chisel, and AquaPurge, and advises restricting access, placing appliances behind firewalls, and opening a TAC case if compromise is suspected.
Show sources
- Cisco warns of unpatched AsyncOS zero-day exploited in attacks — www.bleepingcomputer.com — 17.12.2025 20:45
- Cisco warns of unpatched AsyncOS zero-day exploited in attacks — www.bleepingcomputer.com — 17.12.2025 20:45