Chinese Hackers Exploit Cisco's Unpatched Zero-Day Vulnerabilities

Cisco Customers Under Attack via Zero-Day Vulnerability

Cisco customers are facing a new wave of attacks from a Chinese threat group exploiting a critical zero-day vulnerability. This vulnerability affects Cisco's AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The attacks have been ongoing since at least late November. Cisco became aware of the attacks on December 10.

• Cisco Advisory
• Talos Blog Post
• CISA Alert
• CVE-2025-20393

Technical Details of the Vulnerability (CVE-2025-20393)

The vulnerability, identified as CVE-2025-20393, has a CVSS rating of 10. It is an improper input validation vulnerability affecting Cisco AsyncOS software that allows attackers to execute commands with unrestricted privileges. This enables them to implant persistent backdoors on compromised devices. Successful exploitation requires the Spam Quarantine feature to be enabled and publicly exposed. This feature is not enabled by default.

• Cisco Security Advisory
• NIST CVE Details
• Explanation of Spam Quarantine Feature
• Steps to Check Spam Quarantine Configuration

Threat Actor: UAT-9686

Cisco Talos researchers attribute these attacks to a Chinese advanced persistent threat group tracked as UAT-9686. This group's tooling and infrastructure are consistent with other China state-sponsored threat groups like APT41 and UNC5174. The attackers are using tunneling tools such as ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge.

• Cisco Talos Blog on UAT-9686
• GitHub IOCs
• APT41 Profile
• UNC5174 Details

AquaShell Backdoor

The attackers deployed a lightweight Python backdoor called AquaShell. This backdoor passively listens for unauthenticated HTTP POST requests containing specially crafted data. Upon identifying such a request, it attempts to parse the contents using a custom decoding routine and executes them in the system shell.

• Cisco Talos Analysis of AquaShell
• Details on HTTP POST Requests
• Python Backdoor Information)
• AquaShell Functionality

Mitigation Steps

As there is currently no patch, Cisco recommends restoring appliances to a secure configuration. Other recommendations include limiting access from the internet, securing devices behind a firewall to allow traffic only from trusted hosts, and separating mail and management functionality onto separate network interfaces. Disabling HTTP for the main administrator portal and monitoring web log traffic for unexpected traffic are also advised. Cisco also suggests turning off any unnecessary network services, using strong end-user authentication methods (like SAML or LDAP), and changing the default administrator password. In case of confirmed compromise, Cisco says rebuilding the appliances is the only way to eradicate the threat actor's persistence mechanism.

To protect against sophisticated threats like UAT-9686, organizations need advanced cybersecurity solutions. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

• Cisco's Mitigation Guidance
• End-User Authentication Methods
• Zero-Trust Architecture
• Gopher Security

CISA Action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies must apply the necessary mitigations by December 24, 2025, to secure their networks.

• CISA Adds CVE-2025-20393 to KEV
• CISA Known Exploited Vulnerabilities Catalog
• Federal Civilian Executive Branch Definition
• CISA Emergency Directive

Protect your organization with Gopher Security's AI-powered, post-quantum Zero-Trust cybersecurity architecture. Contact us today to learn more and secure your network against advanced threats.