- Cisco Fixes Critical RCE Vulnerability (CVE-2025-20393) in Secure Email Appliances
- Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools.
- Updates remove persistence mechanisms; the extent of the global compromise remains unknown
A maximum severity vulnerability in some Cisco products has finally been patched after being allegedly exploited by Chinese hackers for several weeks.
In mid-December 2025, the networking giant disclosed a remote code execution (RCE) vulnerability in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) devices. He tracked the flaw as CVE-2025-20393 and gave it a severity score of 10/10 (critical).
“This attack allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time. “The ongoing investigation has revealed evidence of a persistence mechanism implanted by threat actors to maintain some degree of control over compromised devices.”
Cisco fixes it (finally)
Shortly after the initial disclosure, further reports emerged claiming that Chinese state-sponsored threat actors, tracked as UAT-9686, APT41, and UNC5174, had been exploiting this vulnerability “since at least late November 2025.”
At least one of these groups allegedly targeted Cisco Secure Email Gateway and Cisco Secure Email and Web Manager instances with a persistent Python-based backdoor called Aquashell, as well as AquaTunnel (a reverse SSH tunnel), Chisel (another tunneling tool), and AquaPurge (log clearing utility).
Cisco said it was working on a fix, offered advice on how to harden networks, but did not give a deadline for when it would be released. Now, a patch is made available to everyone.
“These updates also remove persistence mechanisms that may have been installed during an associated cyberattack campaign,” a Cisco spokesperson said.
“Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers requiring assistance should contact the Cisco Technical Assistance Center. »
Although this is a maximum severity flaw, exploitable for at least five weeks, we do not know how many instances were compromised, nor how many organizations in the United States and elsewhere fell prey to Chinese hackers.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
