Cisco customers are facing a new campaign of cyberattacks by a Chinese threat group exploiting a critical zero-day vulnerability in the company’s email and web security software. The vulnerability, which has been actively exploited since at least late November, allows attackers to gain unrestricted command execution and establish persistent backdoors on affected devices.
Cisco disclosed the issue in an advisory Wednesday, stating they became aware of the attacks on December 10. The vulnerability, identified as CVE-2025-20393, has a CVSS score of 10, indicating its severity. It affects Cisco AsyncOS software used in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
Exploitation of Cisco Zero-Day Vulnerability
The nature of the exploit involves improper input validation within the affected Cisco AsyncOS software. This flaw permits attackers to bypass security measures and execute arbitrary commands with the highest level of privilege on compromised systems. The attackers have reportedly utilized these capabilities to implant persistent backdoors, allowing them continued access and control over the targeted devices.
Details of the Vulnerability and Exploitation
Cisco has indicated that the exploitation of this zero-day vulnerability appears to be linked to specific, non-standard configurations within customer environments. In particular, systems configured with a publicly exposed spam quarantine feature have been observed in compromised networks. This specific configuration is not enabled by default in the software, suggesting a targeted approach by the threat actors.
Cisco Talos, the company’s threat intelligence arm, has attributed the attacks to a Chinese advanced persistent threat group designated as UAT-9686. The tooling and infrastructure used by UAT-9686 are consistent with those employed by other China-sponsored threat collectives, such as APT41 and UNC5174, according to Talos researchers.
Currently, no patch is available for the vulnerability, and Cisco has not provided a timeline for when a fix will be released. The company has advised customers to consult its advisory for guidance on identifying potential exposure and implementing mitigation strategies. These steps may include isolating or rebuilding affected systems to contain the threat.
The Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day vulnerability to its catalog of known exploited vulnerabilities on Thursday, underscoring its immediate threat to critical infrastructure and government entities.
Experts note that while the need for specific configurations might suggest targeted attacks, the responsibility for addressing software flaws lies with the vendor. Douglas McKee, director of vulnerability intelligence at Rapid7, stated that “the core issue doesn’t change. The software fails under certain conditions, and that’s on the vendor to fix.” He emphasized that secure design principles should encompass “edge cases,” even those that are difficult to foresee, rather than shifting blame when they are exploited.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, shared similar sentiments, suggesting that the reliance on non-standard configurations indicates a tailored approach to victim selection. However, the exact number of Cisco customers utilizing the publicly exposed spam quarantine feature remains unknown.
Historical Context and Future Implications
This incident is not the first time Chinese threat groups have targeted Cisco products. In recent history, a series of widespread attacks involved actively exploited zero-day vulnerabilities affecting Cisco firewalls. Federal cyber authorities issued an emergency directive in September concerning those attacks, which impacted multiple government agencies in May.
In contrast to the previous firewall incidents, a Cisco spokesperson stated there is currently no evidence linking the recent email and web security attacks to the earlier firewall compromises. The earlier attacks were attributed to a group known as “ArcaneDoor,” which was also behind an early 2024 campaign targeting Cisco devices.
Cisco has not disclosed the number of customers impacted by the current zero-day. The company’s advisory provides guidance for detection and remediation, but the lack of an immediate patch leaves systems vulnerable. Organizations should closely monitor Cisco’s security advisories for updates regarding a potential fix and any further technical details regarding the exploitation of this critical vulnerability.