The Cisco cybersecurity incident tied to CVE-2025-20393 represents confirmed, ongoing exploitation rather than a theoretical vulnerability disclosure. The issue affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS and allows unauthenticated attackers to execute arbitrary commands with full root privileges on the underlying operating system. Evidence collected during multiple incident response engagements shows that exploitation has been active since at least late November 2025, with attackers demonstrating persistence and operational discipline rather than opportunistic scanning behavior.
Cisco became aware of the activity on December 10 during the resolution of a Technical Assistance Center case. What initially appeared to be an isolated support issue quickly escalated after forensic review uncovered unauthorized access artifacts and covert persistence mechanisms embedded within the affected appliances. This discovery shifted the incident from a configuration concern to an active intrusion scenario, prompting broader investigation and coordinated disclosure.
The activity has been attributed with moderate confidence to a China-linked threat actor based on tooling choices, infrastructure overlap, and operational tradecraft. While attribution remains cautious, the campaign aligns with a broader pattern of china cyber attacks that prioritize network edge infrastructure over traditional endpoint compromise. This approach reflects a strategic understanding that security appliances, once compromised, offer privileged and durable access into enterprise environments with reduced visibility compared to user workstations or servers.
Security appliances increasingly represent high-value targets. They sit at trusted network boundaries, inspect sensitive traffic, and often operate with elevated permissions. When compromised, they allow attackers to bypass many of the controls organizations rely on to detect lateral movement or command execution. In this campaign, the appliance itself becomes the operational platform rather than merely a stepping stone.
Understanding CVE-2025-20393 in Practical Terms
CVE-2025-20393 is classified as a critical improper input validation vulnerability within Cisco AsyncOS. Successful exploitation allows an attacker to issue arbitrary operating system commands with root-level privileges, effectively granting full control over the affected appliance. The vulnerability applies to both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager and affects all supported AsyncOS versions when specific conditions are met.
The attack surface becomes exposed when the Spam Quarantine feature is enabled and reachable from the public internet. Although this feature is not enabled by default, it is commonly configured in enterprise environments to allow end users to manage quarantined messages and enable administrators to oversee spam handling. When exposed externally, this interface introduces a path into the application logic that attackers familiar with Cisco’s internal architecture can abuse.
Cisco has confirmed that all AsyncOS releases are affected under these conditions. Devices that are part of Cisco Secure Email Cloud are not impacted, and Cisco Secure Web products have not shown signs of exploitation related to this campaign. The distinction is important because it underscores how configuration decisions, rather than software version alone, influence exposure.
How the Exploitation Was Discovered
Unlike mass exploitation campaigns driven by automated scanning, this activity was uncovered through targeted investigation. Cisco identified the campaign while resolving a customer support case, which led to deeper forensic analysis of the affected appliance. That analysis revealed evidence of unauthorized command execution and modifications inconsistent with normal system operation.
Further investigation showed that the activity had been ongoing for weeks prior to discovery. The attackers did not attempt to exploit every exposed device indiscriminately. Instead, they focused on a limited subset of appliances with specific configurations exposed to the internet. This selective targeting suggests reconnaissance and prioritization rather than opportunistic exploitation.
Such behavior is consistent with china cyber attacks observed against edge infrastructure in recent years. Rather than seeking immediate disruption, these campaigns often emphasize stealth, persistence, and long-term access. The goal is not to trigger alerts but to establish a stable presence inside environments of interest.
Threat Actor Attribution and Strategic Context
Cisco Talos attributed the activity to a threat actor tracked as UAT-9686, assessing with moderate confidence that the campaign is linked to a Chinese-nexus advanced persistent threat. The assessment is based on overlaps in tooling, infrastructure, and operational behavior with other Chinese state-aligned groups previously observed targeting network infrastructure and security appliances.
The tooling deployed during the campaign reflects a level of customization and operational awareness typically associated with well-resourced actors. Rather than deploying commodity malware, the attackers used lightweight, environment-specific implants designed to blend into the AsyncOS ecosystem. This approach reduces the likelihood of detection and increases the durability of access.
The campaign fits into a broader trend where china cyber attacks increasingly focus on devices that operate outside traditional endpoint detection frameworks. Firewalls, email gateways, VPN concentrators, and management appliances provide attackers with privileged vantage points that are often under-monitored and assumed to be trustworthy.
Persistence Through AquaShell
At the core of the campaign is a custom Python-based backdoor tracked as AquaShell. Instead of introducing a new executable or service, AquaShell is embedded directly into an existing Python file within the appliance’s web interface. The backdoor is placed at “/data/web/euq_webui/htdocs/index.py,” a location that allows malicious logic to execute as part of normal application behavior.
AquaShell listens passively for unauthenticated HTTP POST requests containing specially crafted data. When such a request is received, the backdoor decodes the payload using a custom algorithm combined with Base64 decoding and executes the resulting commands in the system shell. This design allows attackers to issue commands on demand without maintaining a persistent outbound connection.
Embedding the backdoor into an existing file reflects a clear understanding of the appliance environment. Security appliances running AsyncOS are not typically subject to the same file integrity monitoring applied to general-purpose servers. By modifying a legitimate component rather than adding a new artifact, the attackers increase the likelihood that their presence remains undetected.
Reducing Visibility With AquaPurge
To further complicate detection and forensic analysis, the attackers deployed a utility known as AquaPurge. AquaPurge is designed to selectively remove evidence from log files rather than disabling logging entirely. It filters out lines containing specific keywords using standard system utilities such as egrep and overwrites the original logs with sanitized versions.
This approach avoids drawing attention that might result from missing logs or disabled services. Instead, it quietly removes indicators associated with malicious activity while preserving the appearance of normal operation. The presence of AquaPurge demonstrates deliberate anti-forensic intent rather than accidental log corruption.
Log manipulation has become a hallmark of sophisticated intrusion campaigns, particularly those linked to state-aligned actors. Its use in this incident reinforces the assessment that the activity represents a deliberate and well-planned operation rather than opportunistic exploitation.
Maintaining Access With AquaTunnel
For interactive access, the attackers deployed AquaTunnel, a compiled Go-based binary derived from the open-source ReverseSSH project. AquaTunnel establishes a reverse SSH connection from the compromised appliance to an attacker-controlled server. This allows persistent remote access even when the appliance resides behind firewalls or network address translation.
By initiating outbound connections, AquaTunnel bypasses many inbound access controls and enables attackers to interact with the system as needed. This capability is particularly valuable on edge devices, which may not permit traditional inbound management access from external networks.
The use of AquaTunnel reflects an emphasis on reliability and long-term access. Rather than relying solely on command execution through the backdoor, the attackers ensured they had a stable channel for ongoing interaction with the compromised system.
Lateral Movement Potential Through Chisel
In addition to custom tooling, the attackers also deployed Chisel, an open-source tunneling utility capable of creating TCP and UDP tunnels over HTTP-based connections. Chisel allows attackers to proxy traffic through the compromised appliance and pivot into internal networks.
When installed on a security appliance that already has trusted connectivity to internal systems, Chisel can extend access beyond the appliance itself. This creates the potential for lateral movement into email infrastructure, directory services, or other internal assets that rely on the gateway for traffic inspection.
The combination of AquaTunnel and Chisel provides operational flexibility. Attackers can choose between maintaining a direct interactive session or establishing tunnels that allow deeper exploration of internal environments depending on network conditions and defensive controls.
Indicators of Compromise and Detection Challenges
Cisco has published indicators of compromise associated with the campaign, including file hashes and IP addresses linked to attacker infrastructure. However, detecting compromise on these appliances remains challenging due to their specialized nature and limited telemetry.
The attackers’ decision to embed persistence mechanisms within legitimate application files complicates detection. Many organizations do not enable file integrity monitoring on security appliances, and log manipulation can obscure evidence of exploitation. As a result, compromise may persist undetected for extended periods.
Organizations that suspect exposure are advised to engage Cisco TAC and enable remote access to facilitate forensic analysis. In cases where compromise is confirmed, rebuilding the appliance is currently the only reliable method to fully remove the attackers’ persistence.
Mitigation, Regulatory Pressure, and Hardening
Cisco has stated that no direct workarounds exist to mitigate the risk posed by CVE-2025-20393. As of publication, no software patch has been announced, and the vulnerability remains unpatched. This lack of immediate remediation has prompted escalation by federal authorities.
The Cybersecurity and Infrastructure Security Agency has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, requiring federal civilian agencies to remediate affected systems by December 24. While the directive applies specifically to federal agencies, CISA strongly urges all organizations to prioritize mitigation efforts.
Recommended steps include restricting internet access to appliance management interfaces, placing devices behind firewalls that allow only known and trusted hosts, separating mail and management traffic onto different network interfaces, and disabling unnecessary services such as HTTP and FTP. Administrators should also forward logs to external systems for retention and review historical access where possible.
In environments where compromise cannot be ruled out, rebuilding affected appliances should be considered a necessary remediation step rather than a last resort.
What This Means for Enterprise Security
The exploitation of CVE-2025-20393 shows that attackers are deliberately targeting security appliances that sit at trusted network boundaries. These devices operate with elevated privileges, inspect sensitive traffic, and often maintain persistent connections to internal systems. Despite this, they are frequently monitored less aggressively than traditional servers or endpoints.
China cyber attacks have repeatedly shown that compromising defensive infrastructure provides durable and high-value access. When attackers gain control of email gateways or management appliances, they inherit the trust those systems already have. This allows them to observe traffic flows, issue commands, and maintain access without relying on malware that would typically be flagged on user systems.
This activity reinforces the need for organizations to treat security appliances as critical systems rather than passive tools. Email gateways, firewalls, and management appliances should be included in routine monitoring, segmented from unnecessary network access, and rebuilt rather than reset when compromise is suspected. Trust in defensive technology must be based on continuous verification, not assumption.
