- Cisco Confirms Zero-Day (CVE-2025-20393) in Secure Email Appliances Exploited by China-Affiliated Actors
- Attackers implemented Aquashell backdoor, tunneling tools, and log-clearing tools for persistence
- CISA added errors to KEV; agencies must remedy/cease use by December 24
A China-affiliated threat actor has exploited a zero-day vulnerability in multiple Cisco email appliances to gain access to the underlying system and establish persistence.
Cisco confirmed the news in a blog post and security advisory urging users to apply the recommendations provided and harden their networks.
In its announcement, Cisco said it first discovered the activity on Dec. 10 and determined that it started at least in late November 2025. In the campaign, the threat actor tracked as UAT-9686 abused a flaw in the Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager to execute system-level Python-based commands and deployed system-level Aquabas commands.
Two groups
The vulnerability is now tracked as CVE-2025-20393 and given a severity score of 10/10 (Critical).
The group was also seen installing AquaTunnel (a reverse SSH tunnel) chisel (another tunneling tool) and AquaPurge (log clearing tool).
Given the tools and infrastructure used, Cisco believes the attacks are being carried out by at least two groups – tracked as APT41 and UNC5174. Both are very active and quite dangerous – abusing legitimate cloud services, breaking VPNs, firewalls and other tools, while primarily engaging in cyberespionage.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its catalog of known exploited vulnerabilities (KEV), confirming exploitation in the wild. Federal Civilian Executive Branch agencies have until December 24 to apply the included fixes or stop using the vulnerable products altogether.
In the announcement, Cisco said customers should restore the devices exposed to the Internet to a secure configuration. If they are prevented from doing so, they should contact Cisco to see if they have been compromised or not.
“In the event of confirmed compromise, rebuilding the appliances is currently the only viable option to eradicate the threat actor persistence mechanism from the appliance,” Cisco said. “Additionally, Cisco strongly recommends limiting access to the appliance and implementing robust access control mechanisms to ensure ports are not exposed to unsecured networks.”
Via The record
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
