Cisco email security products actively targeted in zero-day campaign

News
By published

Two Chinese-nexus groups have been exploiting a newly discovered flaw

cisco logo
(Image credit: Shutterstock / Ken Wolter)
  • Cisco confirms zero‑day (CVE‑2025‑20393) in Secure Email appliances exploited by China‑linked actors
  • Attackers deployed Aquashell backdoor, tunneling tools, and log‑clearing utilities for persistence
  • CISA added flaw to KEV; agencies must remediate/stop use by December 24

A China-affiliated threat actor has been abusing a zero-day vulnerability in multiple Cisco email appliances to gain access to the underlying system and establish persistence.

Cisco confirmed the news in a blog post and a security advisory, urging users to apply provided recommendations and harden their networks.

In its announcement, Cisco said it first spotted the activity on December 10, and determined that it started at least in late November 2025. In the campaign, the threat actor tracked as UAT-9686 abused a bug in Cisco AsyncOS Software for Cisco Secure Email Gateway, and Cisco Secure Email and Web Manager, to execute system-level commands and deploy a persistent Python-based backdoor called Aquashell.

Two groups

The vulnerability is now tracked as CVE-2025-20393 and was given a severity score of 10/10 (critical).

The group was also seen deploying AquaTunnel (a reverse SSH tunnel) chisel (another tunneling tool), and AquaPurge (log-clearing utility).

Given the tools and infrastructure used, Cisco believes the attacks are being conducted by at least two groups - tracked as APT41, and UNC5174. Both are very active and quite dangerous - abusing legitimate cloud services, breaching VPNs, firewalls, and other tools, while engaging primarily in cyber-espionage.

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, confirming abuse in the wild. Federal Civilian Executive Branch agencies have until December 24 to apply the provided fixes or stop using the vulnerable products entirely.

In the advisory, Cisco said customers should restore the devices exposed to the internet to a secure configuration. If they are prevented from doing so, they should reach out to Cisco to see if they were compromised or not.

“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors’ persistence mechanism from the appliance,” Cisco said. “In addition, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks.”

Via The Record

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.