Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical vulnerability in Cisco AsyncOS for SEG and SEWM appliances. Apply workaround immediately!
Image
Publié : 18/12/2025
* Last update: 18/12/2025
* Affected products:
→ Cisco AsyncOS (Secure Email Gateway (SEG) Appliances)
→ Cisco AsyncOS (Secure Email and Web Manager (SEWM) Appliances)* Type: Improper Input Validation
* CVE/CVSS:
- CVE-2025-20393: CVSS 10.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
Cisco Advisory - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
Cisco Blogpost - https://blog.talosintelligence.com/uat-9686/
Risks
This vulnerability is exploited in the wild: On 10 Dec 2025, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
This vulnerability has been observed as exploited in the wild by China-nexus APT group UAT-9686 (assessed with moderate confidence by Cisco TALOS), deploying a custom backdoor 'AquaShell'. For more details and IOCs, see: https://blog.talosintelligence.com/uat-9686/.
This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. Cisco’s investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.
Description
The vulnerability is described as ‘Improper Input Validation’ (CWE-20). No further details were disclosed.
Recommended Actions
Follow-up
A patch is not available yet and the vendor indicates the investigation is still ongoing, therefore, follow up the situation regularly. The current information page of Cisco can be found here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4.
Patch
At this moment, a patch as not available yet. As soon as a patch becomes available, the Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Workaround
Follow the specific guidelines as recommended by the vendor:
If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible. For additional information, see Useful Resources on this page: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4.
If restoring the appliance is not possible, Cisco recommends contacting TAC to check whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.
In addition, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks.
The latest version of these recommendations, including general recommendations for hardening, can be found on: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.