Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (12/22/2025)

Posted on 22 Dec 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Cisco AsyncOS Zero-Day Actively Exploited in Targeted Email Gateway Intrusions
  • Threat Actors Abuse PuTTY for Lateral Movement and Quiet Data Exfiltration
  • How can Netizen help?

Cisco AsyncOS Zero-Day Actively Exploited in Targeted Email Gateway Intrusions

Cisco has issued an urgent warning regarding an actively exploited, maximum-severity zero-day vulnerability affecting Cisco AsyncOS software used by Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager appliances. The flaw, tracked as CVE-2025-20393 with a CVSS score of 10.0, is being weaponized by a China-linked advanced persistent threat actor identified as UAT-9686.

Cisco disclosed that it became aware of the campaign on December 10, 2025, following evidence of real-world exploitation against a limited subset of appliances that were reachable from the internet. At this stage, the total number of affected organizations remains unknown.

CVE-2025-20393 stems from improper input validation within AsyncOS. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands with root-level privileges on the underlying operating system of the affected appliance. This grants full control over the device and removes any meaningful security boundary between the application layer and the host OS.

All versions of Cisco AsyncOS are impacted. Exploitation is conditional rather than universal, requiring a particular feature configuration that exposes a vulnerable attack surface.

For exploitation to occur, the following conditions must be present on either physical or virtual appliances:

  • The Spam Quarantine feature must be enabled
  • The Spam Quarantine interface must be reachable from the public internet

Spam Quarantine is not enabled by default, which limits exposure. Cisco has advised administrators to verify whether the feature is active by reviewing interface configuration settings within the web management console. Appliances meeting both conditions represent the primary target population observed in this campaign.

Cisco’s investigation shows exploitation activity dating back to at least late November 2025. Once access is achieved, UAT-9686 deploys multiple post-exploitation utilities designed for persistence, lateral access, and operational cleanup.

Observed tooling includes ReverseSSH, also known as AquaTunnel, and Chisel, both of which provide encrypted tunneling capabilities that enable remote command execution and traffic proxying. Cisco also identified the use of a log-cleaning utility called AquaPurge, indicating deliberate efforts to evade forensic analysis.

A lightweight Python backdoor dubbed AquaShell was also recovered from compromised systems. AquaShell listens passively for unauthenticated HTTP POST requests containing specially crafted payloads. Upon receipt, the backdoor decodes the embedded commands using a custom routine and executes them directly within the system shell. This design allows command-and-control traffic to blend into normal HTTP activity with minimal operational overhead.

The use of AquaTunnel is consistent with tooling previously attributed to Chinese threat groups such as APT41 and UNC5174, reinforcing Cisco’s attribution assessment.

Cisco has confirmed that attackers deploy a persistence mechanism that survives standard remediation steps. At present, rebuilding the affected appliance from a known-good state is the only reliable method to fully remove the implanted access. Configuration changes alone are insufficient once compromise has occurred.

This persistence risk significantly raises the operational impact of the vulnerability, shifting the response from routine patching to full device recovery in confirmed intrusion scenarios.

No software fix is currently available. Cisco is advising customers to reduce exposure through configuration and network controls until an update is released. Recommended actions include restricting internet access to the Spam Quarantine interface, placing affected appliances behind firewalls that permit traffic only from trusted sources, and separating mail-handling and management functions across distinct network interfaces.

Cisco also advises disabling HTTP access to the primary administrative portal, reducing the attack surface by shutting down unused services, enforcing stronger authentication mechanisms such as SAML or LDAP, and rotating default administrative credentials.

Cybersecurity and Infrastructure Security Agency has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are required to apply mitigations by December 24, 2025, reflecting the severity and active exploitation status of the flaw.

Separate from the AsyncOS exploitation, GreyNoise has reported a coordinated credential-based campaign targeting enterprise VPN infrastructure. The activity involves large-scale scripted login attempts against Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. More than 10,000 unique IP addresses participated in the activity, which focused on common username and password combinations rather than vulnerability abuse.

Attack surface intelligence from Censys indicates that at least 220 Cisco Secure Email Gateway instances are currently exposed to the internet. Not all are necessarily vulnerable, though the figure highlights the size of the potential target pool.

Threat Actors Abuse PuTTY for Lateral Movement and Quiet Data Exfiltration

Incident responders are seeing a steady rise in attackers abusing PuTTY, the widely used Windows SSH client, as a dual-purpose tool for lateral movement and data exfiltration. Because PuTTY is a legitimate administrative utility, its use blends easily into normal IT workflows, allowing attackers to move through environments with minimal friction and limited detection. In several recent investigations, PuTTY activity remained one of the few reliable artifacts after attackers aggressively removed traditional filesystem evidence.

PuTTY fits squarely into “living off the land” tradecraft. Rather than introducing custom malware or bespoke tunneling tools, adversaries can rely on binaries that are commonly present in enterprise environments or easily introduced without raising alarms. Utilities such as plink.exe and pscp.exe allow attackers to establish SSH tunnels between compromised systems, pivot laterally across the network, and quietly transfer sensitive files out of the environment.

From a defender’s perspective, this activity can look indistinguishable from routine administrative access. SSH sessions, file transfers, and encrypted tunnels are expected behaviors on many networks, particularly in mixed Windows and Linux environments. That ambiguity makes PuTTY an effective choice for post-compromise operations.

Even when attackers delete binaries, scripts, and logs, PuTTY leaves behind durable registry artifacts that can expose their movement. Research highlighted by Maurice Fielenbach shows that PuTTY stores SSH host key information under:

HKCU\Software\SimonTatham\PuTTY\SshHostKeys

These registry entries record the destination IP address, port, and host key fingerprint for every SSH connection initiated by the user context. In investigations where event logs were incomplete or wiped, these keys provided a reliable breadcrumb trail of attacker activity. By correlating registry timestamps with authentication logs and network telemetry, responders were able to reconstruct lateral movement paths and identify previously unseen pivot points.

Recent campaigns underscore how PuTTY abuse often begins earlier in the intrusion lifecycle. SEO-poisoned download campaigns distributing trojanized PuTTY installers have been used to deliver secondary payloads such as the Oyster backdoor. Once footholds are established, attackers pivot internally using SSH and exfiltrate data through outbound HTTP POST requests or tunneled channels.

Similar SSH-based movement patterns have been documented in ransomware operations such as DarkSide and in activity linked to North Korean threat actors. In each case, attackers favored standard tooling to escalate privileges, maintain persistence, and move laterally without triggering traditional malware signatures.

Detection remains difficult precisely because PuTTY usage is often legitimate. Endpoint activity alone may not appear suspicious if PuTTY is already installed and used by administrators. The signal typically emerges only when usage patterns deviate from established baselines, such as SSH sessions originating from systems that do not normally initiate them, connections to non-standard ports, or sudden bursts of file transfer activity following an initial compromise.

Network-focused platforms like Darktrace and similar tools often flag this activity indirectly, for example through anomalous east-west traffic or unexpected encrypted flows leaving the environment. On endpoints, registry-based hunting becomes a critical technique when process execution data is incomplete.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.