Cisco has dropped an urgent security alert about a zero-day vulnerability that Chinese state-sponsored hackers have been actively exploiting for weeks.
The breach affects thousands of organizations worldwide, with attackers gaining complete administrative control over critical email security infrastructure.
According to Cisco’s Dec. 17 announcement, it is targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager systems.
The vulnerability, designated CVE-2025-20393, carries the maximum possible severity rating of 10.0 on the cybersecurity scale. Every single version of Cisco’s AsyncOS software remains vulnerable, leaving organizations with no immediate patch available. The scope of this attack campaign affects both physical and virtual installations when configured with the Spam Quarantine feature exposed to internet access—though fortunately, Cisco notes this feature isn’t enabled by default.
The sophisticated arsenal
The Chinese threat group, tracked as UAT-9686, has deployed a collection of custom-built hacking tools to maintain persistent access to compromised systems. Cisco’s investigation revealed that attackers can execute any command with root privileges on affected devices. The exploitation campaign has been running since at least late November, giving hackers weeks of undetected access to sensitive email communications.
The attackers deployed multiple specialized tools to ensure long-term control over breached systems. AquaShell, a lightweight Python backdoor, listens passively for specially crafted HTTP requests and executes system commands without requiring authentication. To cover their tracks, the group installed AquaPurge, a log cleaning utility that removes evidence of their activities from system logs. For maintaining remote access, they utilized tunneling tools including ReverseSSH (also called AquaTunnel) and Chisel, both designed to bypass network security measures.
This sophisticated approach shows clear overlaps with other Chinese threat actors, including APT41 and UNC5174, suggesting coordinated efforts among state-sponsored groups. The tactics demonstrate an escalation in sophistication, with Chinese-nexus advanced persistent threat groups increasingly adopting custom web-based implants.
What organizations must do right now
With no patch currently available, Cisco has issued emergency guidance that essentially requires organizations to completely rebuild their affected email security appliances. The company discovered this attack campaign during routine technical support on Dec. 10. Currently, rebuilding compromised appliances represents the only viable method to eliminate the threat actors’ persistence mechanisms.
Organizations should immediately assess whether their email security appliances have the Spam Quarantine feature enabled and exposed to internet access. For organizations unable to immediately rebuild their systems, Cisco Technical Assistance Center can perform remote compromise assessments. Additional protective measures include limiting internet access, securing devices behind firewalls, separating mail and management network interfaces, and implementing strong authentication methods like SAML or LDAP.
Most critically, any organization that suspects compromise must act immediately. The threat actors have had potential access to email communications for weeks, meaning sensitive data may already be compromised.
Fortunately, Cisco’s cloud-based email security services remain unaffected by this vulnerability, providing organizations with an alternative security approach.
As Cisco continues investigating this ongoing campaign, organizations must prepare for the likelihood that additional vulnerabilities and attack vectors may be discovered in the coming weeks.
The sophistication of UAT-9686’s custom tools and persistence mechanisms suggests this group has invested significant resources in targeting email security infrastructure—and this approach suggests ongoing campaigns targeting critical infrastructure.
Audio streaming giant SoundCloud has confirmed that cybercriminals infiltrated their systems and accessed data from approximately 28 million user accounts.
