By Sead Fadilpašić
Publication Date: 2025-12-19 19:30:00
- Cisco confirms zero‑day (CVE‑2025‑20393) in Secure Email appliances exploited by China‑linked actors
- Attackers deployed Aquashell backdoor, tunneling tools, and log‑clearing utilities for persistence
- CISA added flaw to KEV; agencies must remediate/stop use by December 24
A China-affiliated threat actor has been abusing a zero-day vulnerability in multiple Cisco email appliances to gain access to the underlying system and establish persistence.
Cisco confirmed the news in a blog post and a security advisory, urging users to apply provided recommendations and harden their networks.
In its announcement, Cisco said it first spotted the activity on December 10, and determined that it started at least in late November 2025. In the campaign, the threat actor tracked as UAT-9686 abused a bug in Cisco AsyncOS Software for Cisco Secure Email Gateway, and Cisco Secure Email and Web Manager, to execute system-level commands and deploy a persistent Python-based backdoor called Aquashell.
