- Cisco confirms zero-day (CVE-2025-20393) in secure email devices exploited by actors linked to China
- The attackers implemented Aquashell backdoor, tunneling tools, and registry cleaning utilities to achieve persistence.
- CISA added bug to KEV; Agencies must remedy/stop use by December 24.
A Chinese-affiliated threat actor has been abusing a zero-day vulnerability in multiple Cisco email devices to gain access to the underlying system and establish persistence.
Cisco confirmed the news in a blog post and security advisory, urging users to apply the recommendations provided and harden their networks.
In its announcement, Cisco said it first detected the activity on December 10 and determined that it began at least in late November 2025. In the campaign, the threat actor tracked as UAT-9686 abused a bug in the Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, to execute system-level commands and implement a persistent Python-based backdoor called Aquashell.
two groups
The vulnerability is now tracked as CVE-2025-20393 and has been assigned a severity score of 10/10 (critical).
The group was also seen deploying AquaTunnel (a reverse SSH tunnel), Chisel (another tunneling tool) and AquaPurge (registry cleaning utility).
Given the tools and infrastructure used, Cisco believes the attacks are being carried out by at least two groups: APT41 and UNC5174. Both are very active and quite dangerous: they abuse legitimate cloud services, breach VPNs, firewalls and other tools, while mainly engaging in cyber espionage.
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its catalog of Known Exploited Vulnerabilities (KEV), confirming abuses in the wild. Federal Civil Executive Branch agencies have until December 24 to apply the provided fixes or stop using vulnerable products entirely.
In the advisory, Cisco said customers should restore Internet-exposed devices to a secure configuration. If they are prevented from doing so, they should contact Cisco to see if they were compromised or not.
“In the event of a confirmed compromise, rebuilding devices is currently the only viable option to eradicate the threat actor persistence mechanism from the device,” Cisco said. “In addition, Cisco strongly recommends restricting access to the device and implementing strong access control mechanisms to ensure that ports are not exposed to unsecured networks.”
Through The record
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
