Cisco Systems has issued an urgent security alert after confirming that hackers linked to the Chinese state are actively attacking a severe, previously unknown flaw in its email security appliances. This critical vulnerability allows attackers to gain complete control over affected systems.
Critical Flaw with Maximum Severity Score
The security hole, identified as CVE-2025-20393, has received the maximum possible severity rating of 10.0 on the CVSS scale. It impacts Cisco Secure Email Gateway and Cisco Secure Email and Web Manager devices that run on AsyncOS software. Cisco's threat intelligence team, Talos, discovered the active attack campaign on December 10, 2025, but evidence points to malicious activities starting from at least late November 2025.
According to Cisco Talos, the campaign is being carried out by a threat actor tracked as UAT-9686. The company assesses with moderate confidence that this group is an advanced persistent threat (APT) with links to China. The hackers have used the vulnerability to deploy custom malware, including a tool called AquaShell. This Python-based backdoor provides them with persistent, long-term access to the compromised networks.
No Patch Available, Complete Rebuild Recommended
The situation is exacerbated by the fact that no software patch is currently available to fix this zero-day vulnerability. The flaw specifically targets appliances that have the Spam Quarantine feature enabled and exposed directly to the internet. While this configuration is not default and is discouraged in deployment guides, organizations using it are now at extreme risk.
Cisco's advisory is stark in its guidance: for systems already compromised, rebuilding the appliance is currently the only sure way to remove the hackers' access. The company is developing a permanent fix but has not announced when it will be ready. In the meantime, they strongly advise all customers to immediately implement several hardening measures:
- Restrict access to the appliances only to trusted hosts.
- Use firewalls or other filtering devices in front of them.
- Separate mail processing and management functions onto different network interfaces.
- Disable unnecessary network services like HTTP and FTP.
The attackers' toolkit is sophisticated. Beyond AquaShell, they use AquaTunnel for creating reverse SSH connections, Chisel for tunneling traffic to pivot into internal networks, and AquaPurge to clean traces from log files and cover their tracks.
US Government Mandates Action, Impact on Indian Organizations
The severity of the threat has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. It has instructed federal agencies to apply mitigations by December 24, 2025. However, without a patch, options are limited.
Security experts note that these affected Cisco products are widely used by large enterprises and institutions globally, including potentially in India. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, stated that the specific configuration needed for exploitation does limit the attack surface, but the threat remains critical for vulnerable systems.
Cisco has blocked all known indicators of compromise (like malicious IPs and file hashes) across its security products and has published them on GitHub for wider community use. The company urges organizations to check if their appliances have the vulnerable Spam Quarantine setting enabled and are internet-facing, and to contact Cisco's Technical Assistance Center for help verifying a compromise.
