Cisco AsyncOS 0-Day Vulnerability Exploited in the Wild to run System-level Commands
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
An active campaign exploiting a zero-day vulnerability in Cisco AsyncOS Software, targeting Secure Email Gateway<\/a> (formerly Email Security Appliance, ESA) and Secure Email and Web Manager (formerly Content Security Management Appliance, SMA). <\/p>\n The attack, spotted since late November 2025 and publicly disclosed on December 10, allows attackers to run system-level commands and plant a persistent Python backdoor dubbed \u201cAquaShell.\u201d<\/p>\n Talos attributes the operation with moderate confidence to UAT-9686, a Chinese-nexus<\/a> advanced persistent threat (APT) actor. Overlaps in tactics, techniques, procedures (TTPs), tooling, and infrastructure link UAT-9686 to groups like APT41 and UNC5174.<\/p>\n Notably, the custom web implant AquaShell mirrors techniques adopted by sophisticated Chinese APTs for stealthy persistence.<\/p>\n The intrusion vector hits appliances with non-standard configurations, as detailed in Cisco\u2019s advisory<\/a>. Attackers embed AquaShell into \u201c\/data\/web\/euq_webui\/htdocs\/index.py\u201d via an encoded blob. This lightweight backdoor passively monitors for unauthenticated HTTP POST requests, decodes payloads with a custom algorithm plus Base64, and executes shell commands.<\/p>\n Compromise escalates with supplementary tools: AquaTunnel, a GoLang ELF binary forked from open-source ReverseSSH, establishes reverse SSH tunnels for remote access past firewalls; Chisel, an open-source tunneler, proxies TCP\/UDP traffic over HTTP for internal pivoting; and AquaPurge, which scrubs logs by filtering out keyword-laden lines via egrep.<\/p>\n The Secure Email and Web Manager centralizes oversight of the ESA and Web Security Appliance (WSA), including quarantine, policies, and reporting, making it a prime target for email gateway disruptions.<\/p>\n Cisco urges customers to review the advisory<\/a> for indicators of compromise (IOCs) and remediation.<\/p>\n This campaign underscores rising APT focus on email security edges amid supply chain risks.<\/p>\n AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free<\/a><\/strong><\/p>\n The post Cisco AsyncOS 0-Day Vulnerability Exploited in the Wild to run System-level Commands<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\n\n
\n \nTool\/Component<\/th>\n Type<\/th>\n Value<\/th>\n Description \u200b<\/th>\n<\/tr>\n<\/thead>\n \n AquaTunnel<\/td>\n SHA256 Hash<\/td>\n 2db8ad6e0f43e93cc557fbda0271a436f9f2a478b1607073d4ee3d20a87ae7ef<\/td>\n GoLang ELF reverse SSH tunnel for remote access.<\/td>\n<\/tr>\n \n AquaPurge<\/td>\n SHA256 Hash<\/td>\n 145424de9f7d5dd73b599328ada03aa6d6cdcee8d5fe0f7cb832297183dbe4ca<\/td>\n Log-clearing utility using egrep to remove keywords.<\/td>\n<\/tr>\n \n Chisel<\/td>\n SHA256 Hash<\/td>\n 85a0b22bd17f7f87566bd335349ef89e24a5a19f899825b4d178ce6240f58bfc<\/td>\n Open-source tunneling tool for TCP\/UDP proxying over HTTP.<\/td>\n<\/tr>\n \n Attacker IP<\/td>\n IP Address<\/td>\n 172.233.67[.]176<\/td>\n Command-and-control infrastructure.<\/td>\n<\/tr>\n \n Attacker IP<\/td>\n IP Address<\/td>\n 172.237.29[.]147<\/td>\n Command-and-control infrastructure.<\/td>\n<\/tr>\n \n Attacker IP<\/td>\n IP Address<\/td>\n 38.54.56[.]95<\/td>\n Command-and-control infrastructure.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n