Chinese attackers exploiting zero-day to target Cisco email security products

Chinese hackers have been exploiting a vulnerability in a popular Cisco email management tool since late November, the company said Wednesday.

Cisco warned customers about the bug — CVE-2025-20393 — writing in an advisory that the vulnerability carries a maximum severity score of 10 and affects appliances with certain ports open to the internet that are running the company’s AsyncOS Software for its Secure Email Gateway and Secure Email and Web Manager.

Those products provide teams with a centralized interface to manage and report functions across multiple Cisco email devices, letting users manage policies, administer devices, enhance security and quarantine spam messages. 

The company said it became aware of the intrusion campaign on December 10 when it saw a “limited subset of appliances” being targeted. The hackers have used a variety of tools to maintain their access to compromised devices, according to an ongoing investigation by Cisco.

The company released a companion blog from its security arm that attributed the campaign to a Chinese threat group. It based the assessment on the tools and infrastructure used during attacks. 

The Cybersecurity and Infrastructure Security Agency confirmed that CVE-2025-20393 is being exploited and ordered all federal civilian agencies to apply mitigations for it by December 24.

Cisco said there is currently no patch for the bug but it provided a list of actions customers can take to protect themselves. 

The issue concerns a spam prevention feature that has to be manually enabled by customers. If the feature is exposed to and reachable from the internet, both physical and virtual instances of the Cisco Secure Email Gateway, as well as the Web Manager appliances, are at risk. 

Cisco provided a detailed process for how customers can restore devices that have been exposed to the internet to a secure configuration. If that is not possible, customers should contact Cisco to see if their appliance has been compromised. 

“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors’ persistence mechanism from the appliance,” Cisco explained. 

“In addition, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks.”

The company added that its email and web manager appliances should be put behind devices like a firewall.  

Cisco attributed the attacks to a Chinese threat actor it called UAT-9686 and said the group used a persistence tool called AquaShell to maintain their access and take other actions. 

The company said the group has technical overlaps with UNC5174 and APT41, one of the most prolific Chinese state-affiliated cyber groups. Its members were charged by the U.S. in 2020 for breaching more than 100 entities worldwide. 

The FBI has issued arrest warrants for five Chinese nationals tied to the group, including Zhang Haoran and Tan Dailin, for alleged cyber intrusions spanning espionage, ransomware deployment, and software supply chain attacks.

The same group has also been linked to intrusions targeting Southeast Asian government agencies, as well as Taiwan.