Cisco confirmed active exploitation of a critical zero-day vulnerability (CVE-2025-20393) in its Secure Email Gateway appliances, scoring a maximum 10.0 CVSS rating. Chinese threat actors UAT-9686, linked to APT41, have been exploiting the flaw since November 2025 to execute remote commands with root privileges.
The attackers deploy custom tools including AquaShell backdoor and AquaTunnel for network pivoting, primarily targeting telecommunications and critical infrastructure for espionage. CISA added the vulnerability to its Known Exploited Vulnerabilities list, requiring federal agencies to patch by December 24, 2025.
Cisco released patches and urges immediate upgrades, as no workarounds exist for this internet-exposed vulnerability.
Source: Cybersecurity News