InfoSecBulletin Cybersecurity for mankind
Cisco warned customers maximum-severity Cisco AsyncOS zero-day actively exploited in attacks targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. This yet-to-be-patched zero-day (CVE-2025-20393) affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations, when the Spam Quarantine feature is enabled and exposed on the Internet.
Cisco Talos researcher believe that Chinese threat group UAT-9686 targeting the the flaw to run arbitrary commands as root and install persistent backdoors like AquaShell, along with AquaTunnel and Chisel reverse SSH malware, and a log-clearing tool called AquaPurge. Indicators of compromise can be found in a GitHub repository.
Dahua patches multiple critical vulnerabilities in its products
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the WildÂ
AquaTunnel and other malicious tools used in these attacks have been previously associated with Chinese state-backed hacking groups like UNC5174 and APT41.
“We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups,” Cisco Talos said in a Wednesday advisory.
“As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as AquaShell accompanied by additional tooling meant for reverse tunneling and purging logs.”
The company urged admins to protect vulnerable devices by limiting internet access, allowing connections only from trusted hosts, and placing them behind firewalls.
Admins should separate mail handling from management, monitor web logs for unusual activity, and keep logs for investigations.
Disable unnecessary services, update to the latest Cisco AsyncOS software, use strong authentication like SAML or LDAP, change default passwords, and secure management traffic with SSL or TLS certificates.
SonicWall SMA1000 zero-day exploited:Â
SonicWall alerted customers to update the SonicWall SMA1000 Appliance Management Console due to a vulnerability linked to zero-day attacks that could escalate privileges.
SonicWall reported a medium-severity local privilege escalation flaw (CVE-2025-40602) identified by Clément Lecigne and Zander Work from the Google Threat Intelligence Group. This issue does not impact SSL-VPN on SonicWall firewalls.
“SonicWall PSIRT strongly advises users of the SMA1000 product to upgrade to the latest hotfix release version to address the vulnerability,” the company said in a Wednesday advisory.
