UAT-9686 Exploits Cisco AsyncOS Zero-Day (CVE-2025-20393)
A China-nexus Advanced Persistent Threat (APT) actor, tracked as UAT-9686, has been observed exploiting a maximum-severity zero-day vulnerability in Cisco AsyncOS, assigned CVE-2025-20393.
Victimology
The campaign specifically targets Cisco Secure Email Gateways. Successful exploitation provides the attacker with unauthorized access to these critical perimeter security devices.
Tactics, Techniques, and Procedures (TTPs)
UAT-9686 leverages the zero-day flaw to execute arbitrary commands with root privileges on the targeted appliance. Following initial compromise, the actor’s primary objective is to establish and maintain long-term persistence within the network.
Tools Deployed
To facilitate persistence and covert command and control (C2) communications, the actor deploys the following tools:
- ReverseSSH (referred to as AquaTunnel): A utility used to establish reverse SSH tunnels, enabling inbound access to the compromised asset even when situated behind network firewalls.
- Chisel: A fast TCP/UDP tunnel transported over HTTP and secured via SSH, commonly used to bypass firewall restrictions and create concealed network pathways.
Multiple Chinese Clusters Exploit React2Shell Flaw (CVE-2025-55182)
Several distinct China-linked threat groups are actively exploiting the “React2Shell” vulnerability (CVE-2025-55182) in their operations.
The “China Five” Clusters
Google Threat Intelligence (GTIG) has identified five distinct China-linked clusters involved in exploiting this vulnerability. These groups include those tracked as UNC6600, UNC6586, UNC6603, and UNC6595.
TTPs and Malware Payloads
These clusters utilize the remote code execution capability of the React2Shell flaw to deploy custom malware. Identified payloads include:
- Minocat: A custom-built Linux tunneling tool designed for maintaining access and data exfiltration.
- Hisonic: Another custom malware family observed being deployed in these attacks.
Earth Lamia and Jackpot Panda Target Cloud Assets
The threat actor groups known as Earth Lamia and Jackpot Panda are also linked to the exploitation of CVE-2025-55182.
Victimology and Targeting
These groups are specifically targeting cloud infrastructure. Reporting indicates a focus on compromising Amazon Web Services (AWS) environments that host applications vulnerable to the React2Shell flaw. Their TTPs involve using the vulnerability to gain an initial foothold within these cloud instances.
Indicators of Compromise Associated with Deployed Tools
Detection efforts should focus on artifacts and behaviors linked to the specific tools and vulnerability exploitation methods described.
Cisco AsyncOS Exploitation (CVE-2025-20393)
- Process Execution: Unexpected high-privilege command execution on Cisco Secure Email Gateways.
- File Artifacts: Presence of unauthorized binaries identified as ReverseSSH (AquaTunnel) or Chisel on the appliance’s file system.
- Network Communications: Network traffic signatures consistent with ReverseSSH or Chisel tunneling protocols. This includes anomalous outbound connections from the email gateway to unknown external IP addresses over standard ports like 80, 443, or 22.
React2Shell Exploitation (CVE-2025-55182)
- Exploit Attempts: Maliciously crafted HTTP requests directed at React applications designed to trigger code execution.
- System Activity: Unexpected process creation on Linux servers hosting React applications, particularly processes associated with known tunneling tools or unrecognized binaries.
- Malware Artifacts: Presence of files identified as the Minocat or Hisonic malware families on Linux servers.
- Network Communications: Anomalous outbound connections from web servers to suspicious external infrastructure, indicative of C2 activity or tunneling.
