Cisco on Wednesday warned customers that a China-linked threat group has been observed exploiting a new zero-day affecting some of its security products.
The vulnerability, tracked as CVE-2025-20393 and classified as having critical severity, impacts appliances running Cisco AsyncOS software for Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA).
The zero-day can be exploited to execute arbitrary commands on the underlying operating system with root privileges.
The exploitation of CVE-2025-20393 was discovered by Cisco’s own Talos security experts. The attacks have been aimed at “a limited subset of appliances with certain ports open to the internet”.
Cisco Talos has attributed the attacks to a threat actor tracked as UAT-9686, which it believes, with moderate confidence based on the tools and infrastructure it uses, is a Chinese state-sponsored APT.
According to Talos, the attacks, discovered on December 10, have been ongoing since at least late November.
The campaign has involved AquaShell, a backdoor that provides a custom persistence mechanism, AquaPurge, a tool designed for cleaning log files, and AquaTunnel, which creates a reverse SSH connection for remote access to the compromised system.
In addition, Talos has seen Chisel, an open source tunneling tool.
“Chisel allows an attacker to proxy traffic through a compromised edge device, allowing them to easily pivot through that device into the internal environment,” Talos explained.
Cisco has made available indicators of compromise (IoCs) to help customers detect potential attacks.
The tech giant’s advisory does not mention software patches — this suggests CVE-2025-20393 remains unpatched — and specifically says that no workarounds have been identified. However, the company did share some mitigations.
CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address it by December 24.
Other attacks in the wild
Threat intelligence firm GreyNoise on Wednesday reported seeing another large-scale campaign targeting Cisco and Palo Alto Networks products. However, the activity consists of automated login attempts rather than vulnerability exploitation.
SonicWall also warned customers on Wednesday about the exploitation of a zero-day vulnerability.
The flaw, a privilege escalation issue impacting SMA1000 appliances, is tracked as CVE-2025-40602, and it has been used in combination with CVE-2025-23006 for unauthenticated remote code execution with root privileges.
Related: SonicWall Patches High-Severity Flaws in Firewalls, Email Security Appliance
Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks
Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
