A critical Cisco vulnerability is letting China spy on email systems

Published: 18 December 2025
Cisco China attack

A critical Cisco vulnerability with no patch is being actively exploited by suspected China-aligned hackers to quietly seize control of exposed email security appliances.

Cisco’s Talos researchers say they’re tracking a new wave of cyber-espionage activity that bears the fingerprints of China’s state-aligned hackers.

The attackers are exploiting a critical security vulnerability, tracked as CVE-2025-20393, that targets popular Cisco products.

ADVERTISEMENT

Attackers, code-named UAT-9686, are exploiting the vulnerability to gain unauthorized access and deploy custom malware designed for long-term device access and takeover.

Talos assesses with moderate confidence that UAT-9686 operates within China’s state hacking ecosystem. The conclusion is based on overlaps in tactics, techniques, and procedures (TTPs), shared infrastructure, and targeting patterns that mirror other Chinese-nexus groups already under observation.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Talos observed the use of AquaTunnel, also known as ReverseSSH, a backdoor previously associated with well-known Chinese threat groups, including APT41 and UNC5174. The reuse of this malware suggests either shared development resources or a common tool supply chain across multiple operations.

The cyberattack campaign is targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

Cisco has not disclosed the number of customers affected by the attack. Also, there are currently no patches available.

In its security advisory, Cisco urges organizations to take immediate action to secure appliances that are exposed to the internet. Especially if the web management interface or Spam Quarantine port is reachable from untrusted networks.

If ports have been exposed, Cisco strongly recommends following a multi-step recovery process to secure affected appliances. This includes reviewing configurations, and removing any unauthorized changes.

ADVERTISEMENT

Beyond cleanup, Cisco emphasizes prevention. Access to management interfaces should be strictly restricted and never left open to the public internet.

Organizations are advised to secure access using robust access control mechanisms, such as IP allowlists, network segmentation, and limiting administrative access to trusted internal networks only.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT