- Cisco fixes critical RCE flaw (CVE-2025-20393) in Secure Email appliances
- Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools
- Updates remove persistence mechanisms; the extent of global compromise remains unknown
A maximum severity vulnerability in certain Cisco products has finally been resolved after allegedly being exploited by Chinese hackers for several weeks.
In mid-December 2025, the networking giant disclosed a remote code execution (RCE) vulnerability in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. It tracked the bug as CVE-2025-20393 and gave it a severity rating of 10/10 (Critical).
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected device,” Cisco said at the time. “The ongoing investigation has uncovered evidence of a persistence mechanism implanted by the threat actors to maintain some degree of control over compromised devices.”
Cisco is fixing it (finally).
Shortly after the initial disclosure, additional reports emerged claiming that Chinese state-sponsored threat actors, tracked as UAT-9686, APT41, and UNC5174, have been exploiting this vulnerability “since at least late November 2025”.
At least one of these groups reportedly targeted Cisco Secure Email Gateway, and Cisco Secure Email and Web Manager instances with a persistent Python-based backdoor called Aquashell, as well as AquaTunnel (a reverse SSH tunnel), Chisel (another tunneling tool), and AquaPurge (log-clearing tool).
Cisco said it was working on a fix, offered advice on how to harden the networks, but did not give a deadline for when it might be published. Now a patch was made available to everyone.
“These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign,” a Cisco spokesperson said.
“Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as described in the updated security advisory. Customers requiring support should contact the Cisco Technical Assistance Center.”
Despite this being a maximum severity flaw that can be exploited for at least five weeks, we do not know how many instances were compromised or how many organizations in the US and elsewhere fell victim to Chinese hackers.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
