Chinese Hackers Set Sights on Cisco Email Gateways

Recent reports indicate that likely state-sponsored hackers from China are taking advantage of an unpatched vulnerability in Cisco email appliances, aiming to maintain ongoing access to affected systems. This troubling campaign has been active since mid-November, tracking back to a zero-day vulnerability in the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

Cisco Talos, the threat intelligence unit of Cisco, has attributed these attacks—designated UAT-9686—with medium confidence to a Chinese threat actor. This attribution is partially based on observed overlaps in operational tools and infrastructure shared with other known Chinese hacking groups.

The exploited flaw, categorized as CVE-2025-20393, centers on improper input validation. Cisco became aware of the issue on December 10, but warns that no workarounds currently exist. In cases where affected devices’ web management consoles are exposed to the internet or misconfigured with open software ports, Cisco advises that users immediately disconnect these devices from the internet as a precaution.

For organizations that may have already been compromised, Cisco recommends fully rebuilding the appliances to eliminate the hackers’ persistence mechanisms. Furthermore, Talos indicates that at present, only devices configured in non-standard ways appear to be targeted.

The persistence of these vulnerabilities is alarming, especially considering that Cisco’s infrastructure has become a focal point in recent Chinese hacking waves targeting various sectors of critical infrastructure, including telecommunications. In response to these threats, Cisco has pledged to enhance the security of its products, joining a growing list of corporations affected by similar campaigns, such as Microsoft and Ivanti.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, recognizing its severity. With a maximum CVSS score of 10, attackers can potentially gain root-level privileges on impacted systems.

Once attackers penetrate a system, they deploy a suite of sophisticated tools—such as AquaShell, a custom Python backdoor; AquaTunnel, a reverse SSH tunnel; and AquaPurge, a log-clearing utility—along with Chisel, an additional tunneling tool. This strategy illustrates a significant shift in the targets chosen by adversaries, emphasizing edge devices, which can remain unpatched for extended periods, allowing undetected access within networks.

The tactics employed during these attacks align notably with the MITRE ATT&CK framework, emphasizing initial access, persistence, and privilege escalation as key components in the adversaries’ operational playbook, underscoring the necessity for heightened vigilance and security measures among businesses vulnerable to such risks.