Cisco customers are currently facing a new series of attacks from a Chinese threat group. This group has been actively exploiting a critical zero-day vulnerability in Cisco’s email and web security software since at least late November, as detailed in a recent advisory.
Cisco became aware of these attacks on December 10. The vulnerability, identified as CVE-2025-20393, carries a CVSS rating of 10. It is an improper input validation flaw within Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This flaw enables attackers to execute commands with unrestricted privileges and install persistent backdoors on affected devices.
A patch for this vulnerability is not yet available, and Cisco has not provided a timeline for its release. Cisco noted that “non-standard configurations” were observed in compromised networks, specifically customer systems configured with a publicly exposed spam quarantine feature.
Cisco Talos researchers have attributed these attacks to a Chinese advanced persistent threat (APT) group tracked as UAT-9686. The group’s tools and infrastructure are consistent with those used by other China state-sponsored threat groups, such as APT41 and UNC5174.
Cisco did not disclose the number of customers affected by these attacks. The company advises customers to consult its advisory for guidance on determining exposure and implementing mitigation steps, including isolating or rebuilding affected systems.
The spam quarantine feature, which must be enabled and publicly exposed for the vulnerability to be exploited, is not activated by default. The Cybersecurity and Infrastructure Security Agency (CISA) added this zero-day to its known exploited vulnerabilities catalog.
Douglas McKee, director of vulnerability intelligence at Rapid7, commented that highlighting non-standard configurations provides relevant technical detail for defenders to assess exploitation likelihood. However, he emphasized that the core issue remains a vendor’s responsibility to fix, as secure design should account for edge cases.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, suggested that the specific configurations required for exploitation indicate targeted attacks. The number of Cisco customers who have enabled and exposed the spam quarantine feature to the internet remains unknown.
Chinese threat groups have a history of exploiting Cisco vulnerabilities. These latest attacks follow a widespread campaign involving actively exploited zero-day vulnerabilities affecting Cisco firewalls.
Federal cyber authorities issued an emergency directive in September concerning the earlier firewall attacks, which impacted several government agencies in May. At that time, CISA and Cisco did not fully explain the four-month delay between the initial response to the attacks and the disclosure, patching of zero-days, and issuance of the emergency directive.
A Cisco spokesperson stated that there is no evidence linking the current attacks to the earlier incidents this year. Cisco had attributed the previous attacks to the same threat group responsible for an early 2024 campaign targeting Cisco devices, which was named “ArcaneDoor.”
