- Cisco patches critical RCE flaw (CVE-2025-20393) in Secure Email appliances
- Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools
- Updates remove persistence mechanisms; extent of global compromise remains unknown
A maximum-severity vulnerability in certain Cisco products has finally been addressed after allegedly being exploited by Chinese hackers for several weeks.
In mid-December 2025, the networking giant disclosed a remote code execution (RCE) vulnerability in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. It tracked the flaw as CVE-2025-20393 and gave it a severity score of 10/10 (critical).
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time. “The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances.”
Cisco (finally) fixes it
Soon after initial disclosure, additional reports emerged, claiming that Chinese state-sponsored threat actors, tracked as UAT-9686, APT41, and UNC5174, have been abusing this vulnerability “since at least late November 2025”.
At least one of these groups allegedly targeted Cisco Secure Email Gateway, and Cisco Secure Email and Web Manager instances with a persistent Python-based backdoor called Aquashell, as well as AquaTunnel (a reverse SSH tunnel) chisel (another tunneling tool), and AquaPurge (log-clearing utility).
Cisco said it was working on a fix, offered advice on how to harden the networks, but did not give a deadline when it might be published. Now, a patch was made available to all.
“These updates also remove persistence mechanisms that may have been installed during a related cyberattack campaign,” a Cisco spokesperson said.
“Cisco strongly recommends that affected customers upgrade to an appropriate fixed software release, as outlined in the updated security advisory. Customers needing support should contact the Cisco Technical Assistance Center.”
Despite this being a maximum-severity flaw, exploitable for at least five weeks, we don’t know how many instances were compromised, or how many organizations in the US and elsewhere, fell prey to Chinese hackers.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/GECPn964KJunKWgRJ5mMti-2560-80.jpg
Source link
