- Cisco Confirms Detection of Zero Day (CVE‑2025‑20393) in Secure Email Appliances Operated by China-Linked Actors
- The attackers deployed an Aquashell backdoor, tunneling tools, and log clearing utilities to ensure persistence.
- CISA added a vulnerability to KEV; agencies must remedy/stop use by December 24
A China-affiliated threat actor abused a zero-day vulnerability in multiple Cisco email devices to gain access to the underlying system and establish persistence.
Cisco confirmed the news in a blog post and security advisory, urging users to implement the recommendations provided and harden their networks.
In its announcement, Cisco said it first spotted the activity on Dec. 10 and determined that it began in at least late November 2025. During the campaign, the threat actor identified as UAT-9686 abused a bug in Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, to execute system-level commands and deploy a persistent Python-based backdoor called Aquashell.
Two groups
The vulnerability is now tracked as CVE-2025-20393 and has received a severity score of 10/10 (critical).
The group was also seen deploying AquaTunnel (a reverse SSH tunnel), Chisel (another tunneling tool), and AquaPurge (log cleaning utility).
Given the tools and infrastructure used, Cisco believes the attacks are carried out by at least two groups: APT41 and UNC5174. Both are very active and quite dangerous: abusing legitimate cloud services, breaching VPNs, firewalls and other tools, while primarily engaging in cyber espionage.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its catalog of known exploited vulnerabilities (KEV), confirming abuse in the wild. Federal civilian executive branch agencies have until December 24 to apply the provided fixes or stop using the vulnerable products altogether.
In the advisory, Cisco said customers should restore Internet-exposed devices to a secure configuration. If they are prevented from doing so, they should contact Cisco to see whether or not they have been compromised.
“In the event of a confirmed compromise, rebuilding the appliances is currently the only viable option to eradicate the bad actor persistence mechanism from the appliance,” Cisco said. “Additionally, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure ports are not exposed to unsecured networks. »
Via The file
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
