Cisco customers hit by fresh wave of zero-day attacks from China-linked APT

Cisco customers are facing a new wave of cyberattacks targeting a severe zero-day vulnerability in the company’s email and web security software. The flaw, actively exploited since at least late November, has been linked to a China-based advanced persistent threat (APT) group, according to Cisco’s advisory released Wednesday.

The vulnerability, tracked as CVE-2025-20393, carries a CVSS score of 10, the maximum severity rating. It affects Cisco AsyncOS software used in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, allowing attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.

Cisco confirmed it became aware of attacks exploiting this flaw on December 10, 2025, but a patch has not yet been released. The company also did not provide a timeline for when a fix will be available. Researchers noted that attacks have primarily targeted networks with non-standard configurations, specifically those exposing the spam quarantine feature publicly.

Cisco Talos attributed the attacks to a Chinese APT group tracked as UAT-9686, which employs tools and infrastructure similar to other state-sponsored groups, including APT41 and UNC5174. Cisco has not disclosed how many customers have been affected but advised organizations to review the advisory and take mitigation steps such as isolating or rebuilding compromised systems.

The Cybersecurity and Infrastructure Security Agency (CISA) added this zero-day to its known exploited vulnerabilities catalog on Thursday, highlighting the urgent risk to organizations running the affected Cisco software.

Douglas McKee, Director of Vulnerability Intelligence at Rapid7, emphasized that while the attacks target specific non-standard configurations, the root cause remains a critical software flaw. “Secure software design requires anticipating edge cases. Responsibility for the flaw ultimately lies with the vendor, not the user,” McKee said.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted that the attacks appear focused on specific users exposing the spam quarantine feature. The scale of potential exposure remains uncertain.

This latest campaign is part of a pattern of Chinese threat actors exploiting Cisco vulnerabilities. It follows a series of attacks earlier this year that targeted Cisco firewalls and prompted a federal emergency directive in September. While Cisco states there is no evidence linking the current attacks to previous campaigns, the company previously traced similar attacks to a group responsible for the 2024 “ArcaneDoor” campaign against Cisco devices.

Customers are strongly advised to review their system configurations, implement network isolation for affected devices, and monitor Cisco’s advisories for updates on a forthcoming patch.