A China linked advanced persistent threat has been exploiting a previously unknown vulnerability in Cisco email security appliances, while a separate wave of large scale brute force attacks has targeted virtual private networks from Cisco and Palo Alto Networks, security researchers said.
Cisco said on Wednesday it had identified a threat group it tracks as UAT 9686 that has been abusing a critical zero day flaw in appliances running its AsyncOS software. The vulnerability, tracked as CVE 2025 20393, carries a maximum severity score of 10 and remains unpatched.
AsyncOS powers Cisco Secure Email Gateway and Secure Email and Web Manager products, which are used to protect organisations from spam and malware and to centrally manage email security systems. The flaw affects systems where the Spam Quarantine feature is enabled and accessible from the internet.
Under those conditions, attackers can bypass normal controls, gain root level access and run arbitrary commands on the appliance and potentially connected systems.
Cisco said the activity dates back to at least late November.
According to Cisco Talos, UAT 9686 used the vulnerability to deploy multiple tools after gaining access, including the open source tunnelling utility Chisel and a custom malware family known as Aqua.
The main backdoor, AquaShell, is a lightweight Python implant that is delivered as encoded data and hidden within existing system files. It is accompanied by tools designed to erase logs and maintain persistent remote access through encrypted connections.
Talos said the group’s infrastructure and techniques overlap with known Chinese cyber espionage actors such as APT41 and UNC5174.
Cisco said it has advised customers to disable internet access to the Spam Quarantine feature as a temporary measure and is working on a permanent fix.
Separately, researchers observed a sharp spike in brute force attacks against VPN services shortly after Cisco detected the email security campaign.
GreyNoise said that within a 16 hour window, more than 10,000 unique IP addresses generated about 1.7 million authentication attempts against Palo Alto Networks GlobalProtect VPNs.
The activity largely targeted organisations in the United States, Mexico and Pakistan.
The following day, similar attacks shifted to Cisco VPN endpoints, with a significant rise in automated login attempts.
The campaign relied on standard SSL VPN login flows and appeared aimed at identifying weak or reused credentials. The activity stopped as abruptly as it began.
GreyNoise said such short lived, high volume attacks are often used to quickly map exposed systems before defenders can respond.
The firm advised organisations to review edge device security, enforce strong passwords and enable multifactor authentication, noting that operational complexity and fear of disruption often delay such measures despite their importance.
