On December 17, 2025 Cisco announced that they had detected a campaign exploiting a zero day in their email security devices. The vulnerability affects the physical and virtual versions of Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA). The vulnerability allows remote code execution when the Samp Quarantine feature is enabled and that feature is exposed and reachable from the internet. At this time no patch or workaround is available.
Cisco’s TALOS team has stated that they track the actor behind these intrusions as UAT-9686, and they assess with moderate confidence that this group is a China-nexus state backed actor. They identify three malware families that are deployed: “AquaShell” a lightweight python backdoor that listens passively for commands, “AquaPurge” a utility that deletes log entries “AquaTunnel” a ELF binary that creates a reverse SSH connection, and Chisel an open-source tunneling tool.