- Cisco Confirms Zero Days (CVE-2025-20393) in Secure Messaging Devices Exploited by Actors Linked to China
- To proceed. The attackers used an Aquashell backdoor. Tunneling tools. Wood cleaners.
- CISA added a bug in KEV; Agencies must resolve/stop use by December 24th
A China-affiliated threat actor exploited a zero-day vulnerability in multiple Cisco email devices to gain access to the underlying system. Establish persistence.
Cisco confirmed the news in a blog post. Security advisory. Urging users to follow the recommendations. Harden their networks.
In the announcement. Cisco said it first discovered the activity on Dec. 10 and concluded that it began at least as late as November 2025. In the campaign. The threat actor. Identified as UAT-9686. Exploited a flaw in the Cisco AsyncOS software for Cisco Secure Email Gateway. Cisco Secure Email. Web Manager to execute system-level persistent commands for Pyramidshell. Deploy a system-level persistent reverse command.
two groups
The vulnerability is now tracked as CVE-2025-20393. Has been given a severity rating of 10/10 (Critical).
The group was also seen using AquaTunnel (a reverse SSH tunnel). Chisel (another tunneling tool). AquaPurge (a tree trunk cleaning tool).
Given the tools. Infrastructure used. Cisco believes the attacks were carried out by at least two groups. Identified as APT41. UNC5174. Very active is are by Both. Quite dangerous: they abuse legitimate cloud services. Hack VPNs. Firewalls. Other tools. Above all. Engage in cyberespionage.
Meanwhile. The US Cybersecurity. Infrastructure Security Agency (CISA) added it to its catalog of known exploited vulnerabilities (KEV). Confirming exploits in circulation.
Federal civil authorities have until December 24 to apply the included patches. Stop using the vulnerable products altogether.
In the advisory. Cisco says customers should restore Internet-connected devices to a secure configuration. If they are unable to do this. They should contact Cisco to determine whether. Not they have been compromised.
“In the event of a confirmed compromise. Rebuilding the devices is currently the only viable option to remove the attacker’s persistence mechanism from the device.
” Cisco said. “In addition. Cisco strongly recommends that you limit access to the device. Implement strong access control mechanisms to ensure that ports are not exposed to insecure networks.”
IN the file
.
