By Zeljka Zorz
Publication Date: 2025-12-17 19:28:00
A suspected Chinese-nexus threat group has been compromising Cisco email security devices and planting backdoors and log-purging tools on them since at least late November 2025, Cisco Talos researchers have shared.
“Our analysis indicates that appliances with non-standard configurations (…) are what we have observed as being compromised by the attack,” they noted.
According to the accompanying advisory, the attackers exploited CVE-2025-20393, a vulnerability stemming from improper input validation, to execute arbitrary commands with root privileges on the operating system of an affected appliance – and they didn’t have to authenticate before leveraging the flaw.
This attack campaign targeted Cisco Secure Email Gateway (physical and virtual) and Cisco Secure Email and Web Manager (physical and virtual) appliances that were configured with the Spam Quarantine feature exposed to and reachable from the internet.
The attack tools
Cisco became aware of this activity on…
