CVE-2025-20393 is a CVSS 10.0 Remote Code Execution (RCE) flaw in Cisco Secure Email Gateways currently being actively exploited by China-nexus groups. A recent advisory from Cisco Talos details how an actor dubbed “UAT-9686” is leveraging this vulnerability to target Cisco Secure Email Gateways (ESA) and Secure Email and Web Managers (SMA). The attack allows threat actors to execute arbitrary commands with root privileges and deploy persistence mechanisms. This situation highlights a critical challenge for defenders: adversaries are targeting "black box" appliances, critical infrastructure at the network edge where you often cannot install Endpoint Detection and Response (EDR) agents. When you cannot look inside the device, you must look at the network.
The actor’s toolkit includes AquaShell (a Python-based backdoor), Aqua Tunnel (a custom build of the open-source ReverseSSH), and Chisel (a tunneling tool). These tools allow them to maintain persistence, mask their traffic, and pivot deeper into the environment. Because these appliances are often trusted and unmonitored, they make perfect staging grounds.
Corelight helps you find this activity out-of-the-box. By employing signature-based detection through the use of Suricata and Yara, behavioral analysis and machine learning, we can detect and identify the tools UAT-9686 uses to move through your network.
One of the primary tools in this campaign is Chisel, a fast TCP/UDP tunnel transported over HTTP and secured via SSH. Adversaries favor it because it wraps malicious traffic in legitimate-looking protocols, often bypassing firewalls. However, Chisel leaves specific footprints during its handshake.
Corelight’s integration of Suricata allows us to catch this setup phase. The following rule from the Emerging Threats team at Proofpoint detects the specific "SSH-chisel" banner exchange, identifying the tunnel before the encryption fully obscures the payload.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Chisel SOCKS Proxy Startup Observed"; flow:established,to_client; http.stat_code; content:"101"; file.data; content:"SSH-chisel-v3-server"; offset:2; fast_pattern; classtype:policy-violation; sid:2033342; rev:2; metadata:created_at 2021_07_15, confidence High, signature_severity Informational, tag Proxy, tag Tunnel, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)This signature provides a high-fidelity alert. If you see this firing on an email gateway, you need to investigate immediately. Suricata identifies the tunnel effectively, but to confirm the malicious nature of the files moving through it, we turn to YARA.
Finally, Corelight has implemented YARA file scanning to files that cross your network, YARA provides the final layer of confirmation.
Cisco Talos assesses with "moderate confidence" that UAT-9686 is a Chinese-nexus advanced persistent threat (APT) actor. They note that the group's "tool use and infrastructure are consistent with other Chinese threat groups," specifically citing overlaps in tactics and tooling with known groups like APT41 (Brass Typhoon) and UNC5174.
This attribution matters for your defense strategy. The Cisco advisory’s urgent recommendation to "disable HTTP" and "FTP" implies that these clear text protocols are often enabled by default on these appliances. Recent CISA advisories confirm that Chinese state-sponsored actors frequently abuse these specific clear text protocols to transfer attack tools and exfiltrate data.
rule chisel_linux {
meta:
author = "David Burkett @ Corelight"
description = "Detects jpilla/chisel client/server"
creation_date = "2025-12-18"
hash1 = "b84450974bd3f1fc5dc09ec0edeec50647df81716e305ef391c9115c751aab17"
TLP = "Clear"
strings:
$chisel_string = "github.com/jpillora/chisel"
condition:
// ELF Magic Number
uint16(0) == 0x457f and
chisel_string and
filesize < 12 MB
}
The actor also deploys Aqua Tunnel, which is based on the open-source tool ReverseSSH. This tool creates a reverse SSH connection from the compromised appliance back to the attacker. Because the traffic is encrypted, traditional content inspection often fails.
This is where Corelight’s SSH Inferences package, available as part of our Open Network Detection and Response (NDR) Platform, becomes vital. Instead of trying to break the encryption, we analyze the behavior of the encrypted traffic, specifically the size, order, and direction of the packets.
The ssh.log in Corelight will tag sessions with specific inferences. For a tool like Aqua Tunnel, you should hunt for:
By looking for these tags in your ssh.log, you can find imposter SSH sessions that do not match the profile of your legitimate administrators. Corelight’s signatures find what is known, but our anomaly detection and behavioral inferences find what’s new. Cisco ESAs are purpose-built appliances. Their behavior should be highly predictable. They send email, they receive email, and they perform specific updates. They should not suddenly start tunneling traffic to unknown IPs or acting as SSH servers on non-standard ports.
Corelight's Open NDR Platform runs on a multi-layered detection engine which leverages a comprehensive detection methodology. We detect the known through a combination of signatures and indicators of compromise (IOCs), and the unknown through our anomaly engine and behavioral based detectors and inference packages. The Corelight anomaly engine uses (inferred) peer group modeling to identify these deviations. Essentially, the system automatically groups your devices, identifying that your ESAs behave similarly to one another. If one device in that group begins establishing SSH connections using a new client string (like the Go-based client used by Chisel or ReverseSSH) or connecting to a destination that its peers ignore, the system generates an alert.
The UAT-9686 campaign reinforces a hard truth about cybersecurity: you cannot defend what you cannot see. When adversaries operate on the network edge, relying strictly on endpoint data leaves you vulnerable. This is where Corelight can help. Our mission-ready Open NDR Platform complements EDR and enables defenders to detect advanced TTPs with unprecedented network visibility, anomaly detection, SSH inferences, Suricata signatures, and more. Want to explore more in-depth threat hunts with NDR and Corelight? Check out our comprehensive Threat Hunting Guide.
