A critical Cisco vulnerability currently without patches is being actively exploited by suspected China-aligned cybercriminals to discreetly commandeer exposed email security appliances.
Cisco’s Talos research team reports tracking fresh cyber-espionage activity displaying characteristics consistent with China’s state-aligned hacking operations.
Attackers exploit a critical security vulnerability, designated CVE-2025-20393, affecting popular Cisco products.
Attackers, codenamed UAT-9686, leverage the vulnerability to obtain unauthorized access and install custom malware engineered for extended device access and control.
Talos assesses with moderate confidence that UAT-9686 functions within China’s state hacking infrastructure. This conclusion derives from overlapping tactics, techniques, and procedures (TTPs), shared infrastructure, and targeting patterns mirroring other Chinese-nexus groups currently under surveillance.
Talos documented AquaTunnel usage, alternatively known as ReverseSSH, a backdoor previously linked to established Chinese threat groups, including APT41 and UNC5174. This malware reuse suggests either shared development resources or common tool supply chains across multiple operations.
The cyberattack operation targets a restricted subset of appliances with specific internet-accessible ports running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
Cisco hasn’t revealed the quantity of affected customers. Additionally, patches remain currently unavailable.
In its security advisory, Cisco encourages organizations to implement immediate protective measures for internet-exposed appliances. Particularly if web management interfaces or Spam Quarantine ports are accessible from untrusted networks.
If ports have been exposed, Cisco strongly advocates following multi-step recovery procedures to secure affected appliances. This includes configuration reviews and unauthorized change removal.
Beyond remediation, Cisco emphasizes prevention. Management interface access should be strictly controlled and never left publicly accessible.
Organizations should secure access using robust access control mechanisms, including IP allowlists, network segmentation, and restricting administrative access exclusively to trusted internal networks.
