- Cisco Fixes Critical RCE Flaw (CVE-2025-20393) on Secure Email Devices
- Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools.
- Updates remove persistence mechanisms; Scope of global commitment unknown
A maximum severity vulnerability in certain Cisco products has finally been addressed after being allegedly exploited by Chinese hackers for several weeks.
In mid-December 2025, the networking giant disclosed a remote code execution (RCE) vulnerability in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) devices. It tracked the flaw as CVE-2025-20393 and gave it a severity score of 10/10 (critical).
“This attack allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected device,” Cisco said at the time. “Ongoing investigation has revealed evidence of a persistence mechanism implanted by threat actors to maintain some degree of control over compromised devices.”
Cisco (finally) fixes it
Shortly after the initial disclosure, additional reports emerged claiming that Chinese state-sponsored threat actors, tracked as UAT-9686, APT41, and UNC5174, have been abusing this vulnerability “since at least late November 2025.”
At least one of these groups allegedly targeted instances of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager with a Python-based persistent backdoor called Aquashell, as well as AquaTunnel (a reverse SSH tunnel), chisel (another tunneling tool), and AquaPurge (log cleaning utility).
Cisco said it was working on a fix, offered advice on how to harden networks, but gave no timeline for when it might be released. Now, a patch has been made available to everyone.
“These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign,” a Cisco spokesperson said.
“Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as described in the updated security advisory. Customers requiring support should contact the Cisco Technical Assistance Center.”
Although this is a maximum severity flaw, exploitable for at least five weeks, we do not know how many instances were compromised, or how many organizations in the US and elsewhere fell victim to Chinese hackers.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
