Arctic Wolf Customer,
Due to the high prevalence of Cisco products in the industry, we are sending you this bulletin to provide situational awareness about a threat campaign affecting several Cisco products. Cisco has released an advisory detailing a new threat campaign targeting a zero-day vulnerability affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Customers with these Cisco products in their environments are advised to review this security bulletin and follow provided recommendations.
Summary
On December 17, 2025, Cisco published an advisory detailing a new threat campaign identified on December 10 affecting the Cisco AsyncOS software used on Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The campaign is exploiting an unpatched zero-day vulnerability, which only affects deployments with the Spam Quarantine feature enabled, allows threat actors to execute arbitrary commands with root privileges on affected devices. This feature is not enabled by default.
In their investigation into this campaign, Cisco Talos identified evidence demonstrating that threat actors had deployed AquaShell—a Python-based backdoor used to maintain persistence over compromised appliances. Cisco Talos attributes the campaign to a threat actor they refer to as UAT-9686, which is assessed with moderate confidence to be a China-affiliated actor.
Cisco has indicated that they will continue to investigate this campaign and will update their advisory as new details emerge.
Arctic Wolf is a customer of its own products/services and so we will follow the same recommendations outlined for our customers.
Vulnerability Scope
This campaign affects both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances when these conditions apply:
- The appliance uses the Spam Quarantine feature.
- The Spam Quarantine feature is accessible from the internet.
The Spam Quarantine feature is not enabled by default, and Cisco notes that the Spam Quarantine feature isn’t required to be exposed on the public internet in their official deployment guides.
Recommendation
Remove Spam Quarantine Port from Public Internet and Filter Traffic to Appliances
Cisco recommends that the Spam Quarantine service is configured so that it isn’t exposed to the public internet. Organizations should configure any such deployments to restrict access to trusted hosts only. By default, this service runs on port 6025.
Cisco also recommends that all traffic to and from the Secure Email Gateway is filtered through a firewall, only allowing connections from trusted hosts. This further limits the potential of exploitation.
Apply Patches When They Are Made Available
Cisco has not yet released security updates for this vulnerability, but is expected to do so within the coming weeks. Arctic Wolf strongly recommends monitoring Cisco’s advisory and apply patches when they are made available.
Configure the Arctic Wolf MDR Integration
If your organization uses the affected products and you are a customer of Arctic Wolf’s Managed Detection and Response service, it is strongly recommended that you configure the Cisco Secure Email Gateway integration to provide Arctic Wolf with visibility into potentially malicious activity.
Contact Cisco TAC for Support
Cisco encourages customers who wish to determine whether their appliances may have been compromised to open a Cisco Technical Assistance Center (TAC) case.
Apply General Security Hardening to Limit Exposure
In addition to the above recommendations, Cisco provides a list of hardening recommendations to help better secure appliances:
- Block internet access to appliances unless absolutely required; if needed, restrict to trusted hosts and approved ports/protocols.
- Place appliances behind a firewall (preferably two-layered) and filter all inbound/outbound traffic to allow only known, trusted sources.
- Separate mail-handling and management interfaces on Cisco Secure Email Gateway to limit internal network exposure.
- Monitor logs regularly for unusual activity and store them externally for future investigations.
- Disable unnecessary services such as HTTP and FTP, including HTTP access to the admin portal.
- Upgrade to the latest Cisco AsyncOS Software version.
- Implement strong authentication methods (e.g., SAML or LDAP).
- Change default administrator passwords and use role-based user accounts for better access control.
- Secure management traffic with SSL/TLS certificates from a trusted CA or self-signed options.
References
- Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/
- cisco-sa-sma-attack-N9bf4
- Cisco Talos Blog: https://blog.talosintelligence.com/uat-9686/
If you have any additional questions, please reach out to your CST at security@arcticwolf.com.
Thank you,
Arctic Wolf