CoreTechDaily

Cisco Addresses Critical Security Flaw Targeted by Chinese Hackers

Cisco has patched a severe vulnerability exploited by Chinese state-sponsored hackers, ensuring enhanced security for its email appliances.

Updated Jan 16, 2026
Tags:securityCiscocybersecurityvulnerability
Cisco Addresses Critical Security Flaw Targeted by Chinese Hackers
Andrew Wallace

Andrew Wallace

Professional Tech Editor

Focuses on professional-grade hardware, software, and enterprise solutions.

  • Cisco patches critical RCE flaw (CVE-2025-20393) in Secure Email appliances
  • Chinese state-sponsored groups exploited it for weeks using Aquashell and tunneling tools
  • Updates remove persistence mechanisms; extent of global compromise remains unknown

A critical vulnerability affecting certain Cisco products has been resolved after being reportedly exploited by Chinese hackers for several weeks.

In mid-December 2025, Cisco disclosed a remote code execution (RCE) vulnerability in AsyncOS that impacts Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances, identifying the flaw as CVE-2025-20393 with a severity rating of 10/10.

According to Cisco, "This attack enables threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance." The investigation revealed that the attackers had implanted a persistence mechanism to maintain control over compromised appliances.

Cisco Finally Fixes the Issue

Shortly after the initial disclosure, additional reports surfaced, indicating that Chinese state-sponsored threat actors, identified as UAT-9686, APT41, and UNC5174, had been exploiting this vulnerability since at least late November 2025.

One of these groups allegedly targeted Cisco Secure Email Gateway and Secure Email and Web Manager instances using a persistent Python-based backdoor named Aquashell, along with AquaTunnel (a reverse SSH tunnel) and AquaPurge (a log-clearing utility).

Cisco has now released a patch and provided guidance on strengthening network security, although it did not specify a timeline for the fix's availability. The patch also removes persistence mechanisms that may have been installed during the cyberattack campaign.

Cisco strongly advises affected customers to upgrade to the appropriate fixed software release as detailed in the updated security advisory. Customers requiring assistance should contact the Cisco Technical Assistance Center.

Despite the severity of this flaw, which was exploitable for at least five weeks, the number of compromised instances and organizations affected by the Chinese hackers remains unclear.

Via The Register

React to this story

Related Posts

OpenClaw Faces Major Security Flaw: What Users Need to Know

Mar 3, 2026

OpenClaw Faces Major Security Flaw: What Users Need to Know

Experts warn about a significant security vulnerability in OpenClaw, highlighting the risks of weak passwords.

Google Addresses 129 Android Security Flaws, Including Critical Zero-Day

Mar 3, 2026

Google Addresses 129 Android Security Flaws, Including Critical Zero-Day

Learn about the recent Android security patch addressing critical vulnerabilities, including a Qualcomm zero-day exploit.

How OAuth Phishing Campaigns are Evolving: What You Need to Know

Mar 3, 2026

How OAuth Phishing Campaigns are Evolving: What You Need to Know

Microsoft's warning on OAuth phishing highlights new malware risks bypassing traditional defenses. Learn how this affects your security.

How Perplexity's AI Comet Browser Vulnerability Affects Your Security

Mar 3, 2026

How Perplexity's AI Comet Browser Vulnerability Affects Your Security

A critical zero-click vulnerability in the Perplexity AI Comet browser has raised concerns about password theft without user interaction.