Chinese attackers exploiting zero-day to target Cisco email security products
Summary
Cisco disclosed that Chinese threat actors have been exploiting a critical zero-day (CVE-2025-20393) in its AsyncOS-based email management appliances since late November. The flaw, rated 10/10, affects Cisco Secure Email Gateway and Secure Email and Web Manager appliances when a spam-prevention feature is manually enabled and reachable from the internet. Cisco detected a limited campaign on 10 December and attributes the attacks to a group it calls UAT-9686, which used a persistence tool named AquaShell.
Cisco has not yet released a patch and has issued mitigation guidance including restricting access, placing appliances behind firewalls and rebuilding compromised devices. The US CISA has confirmed exploitation and ordered federal civilian agencies to apply mitigations by 24 December.
Key Points
- CVE-2025-20393 is a critical zero-day in Cisco AsyncOS for Secure Email Gateway and Secure Email and Web Manager with a maximum CVSS score of 10.
- Exploitation requires the spam-prevention feature to be manually enabled and reachable from the internet; both physical and virtual appliances are at risk.
- Cisco observed attacks beginning in late November and detected targeted activity on 10 December; an ongoing investigation found multiple persistence tools in use.
- The attacker group is attributed to UAT-9686, with overlaps to UNC5174 and APT41; they used a persistence tool called AquaShell.
- No patch is yet available; Cisco recommends restricting network access, using firewalls, and rebuilding appliances if compromise is confirmed.
- CISA has confirmed active exploitation and mandated mitigations for federal civilian agencies by 24 December.
Context and relevance
This advisory matters because it targets centralised email-management appliances that control multiple Cisco mail devices. Organisations that expose these management ports to the internet risk broad operational and data-security impacts. The attribution to groups linked to state-aligned activity (APT41/UNC5174) raises the stakes, as these actors have a history of espionage and disruptive intrusions.
The incident underscores two ongoing trends: (1) attackers increasingly target management infrastructure to gain wide-reaching access, and (2) critical zero-days are being weaponised before vendors can issue patches, making rapid mitigations essential.
Why should I read this?
Short version: if you run Cisco Secure Email appliances, this is one you can’t ignore. Ports left open for a spam filter could let attackers in with a 10/10 bug. Cisco hasn’t rolled a patch yet, so you’ll either harden access or risk rebuilding appliances later — and that’s a huge headache. Read the details so you can act fast and avoid being one of the compromised sites.