Cisco has issued an urgent warning after uncovering an active exploitation campaign against its AsyncOS software, used in Cisco Secure Email Gateway and Secure Email and Web Manager appliances. The vulnerability, rated at the highest severity level, is being leveraged by a China-linked advanced persistent threat group tracked as UAT-9686.
The company disclosed that it identified the malicious
activity on December 10, 2025, noting that the attacks were focused on a narrow
set of internet-exposed appliances configured in a specific way. While Cisco
has not disclosed the exact number of impacted customers, it emphasized that
the scope appears limited due to the attack’s dependency on non-default
settings.
According to Cisco, successful exploitation enables
attackers to run arbitrary commands with full root-level access on affected
systems. Investigators also discovered that the intruders installed a custom
persistence mechanism, allowing continued control even after initial access was
gained.
The vulnerability only affects devices that meet two
criteria: they must be directly reachable from the public internet and have the
spam quarantine feature enabled. Cisco clarified that neither condition is
enabled by default, which may explain the relatively small exposure footprint
observed so far.
Independent internet scanning services have reported seeing
exposed systems, but Cisco declined to confirm those findings when asked to
validate the numbers. The company has not yet released a security patch, making
the situation particularly challenging for defenders.
In the absence of an update, Cisco is advising affected
customers to completely wipe compromised appliances and restore them to a
known-good, secure state. This step is currently the only reliable way to eliminate
attacker persistence.
Given the role these appliances play—filtering email traffic
and safeguarding enterprise communications—a breach could have serious
consequences. Threat actors with root access could potentially monitor
sensitive correspondence, introduce malware or ransomware, or use the devices
as a foothold for deeper network penetration.
Security teams are urged to review Cisco’s advisory
immediately, audit configurations for unnecessary internet exposure, and
monitor closely for indicators of compromise. Until a patch becomes available,
organizations may want to temporarily restrict external access to these systems
to reduce risk.
Cisco has not provided an estimated release date for a fix, underscoring the importance of interim defensive measures while the investigation continues.
By - Aaradhay Sharma
No comments:
Post a Comment