Cisco has finally patched a maximum-level security issue which was allegedly being targeted by Chinese hackers

News
By published

Cisco bug which was actively abused since late November 2025 has finally been addressed.

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)
  • Cisco patches critical RCE flaw (CVE-2025-20393) in Secure Email appliances
  • Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools
  • Updates remove persistence mechanisms; extent of global compromise remains unknown

A maximum-severity vulnerability in certain Cisco products has finally been addressed after allegedly being exploited by Chinese hackers for several weeks.

In mid-December 2025, the networking giant disclosed a remote code execution (RCE) vulnerability in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. It tracked the flaw as CVE-2025-20393 and gave it a severity score of 10/10 (critical).

"This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco said at the time. "The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances."

Cisco (finally) fixes it

Soon after initial disclosure, additional reports emerged, claiming that Chinese state-sponsored threat actors, tracked as UAT-9686, APT41, and UNC5174, have been abusing this vulnerability “since at least late November 2025”.

At least one of these groups allegedly targeted Cisco Secure Email Gateway, and Cisco Secure Email and Web Manager instances with a persistent Python-based backdoor called Aquashell, as well as AquaTunnel (a reverse SSH tunnel) chisel (another tunneling tool), and AquaPurge (log-clearing utility).

Cisco said it was working on a fix, offered advice on how to harden the networks, but did not give a deadline when it might be published. Now, a patch was made available to all.

"These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign," a Cisco spokesperson said.

"Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers needing support should contact the Cisco Technical Assistance Center."

Despite this being a maximum-severity flaw, exploitable for at least five weeks, we don’t know how many instances were compromised, or how many organizations in the US and elsewhere, fell prey to Chinese hackers.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.