Cisco Email Security Appliances Hacked via Unpatched Zero-Day

A sophisticated cyber espionage campaign has been targeting Cisco’s email security infrastructure, leveraging an unpatched zero-day vulnerability to gain complete control over affected devices. Security researchers at Cisco Talos have detailed an ongoing attack, active since at least late November, where threat actors compromise appliances to install a suite of stealthy backdoor and log-erasure tools. The attacks specifically exploit CVE-2025-20393, a critical flaw allowing unauthenticated, remote attackers to execute arbitrary commands with the highest system privileges. This vulnerability is present in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances that have their Spam Quarantine feature exposed directly to the internet, a non-standard configuration.

Cisco’s investigation, initiated from a support case in early December, uncovered a toolkit designed for long-term access and stealth. Attackers used the vulnerability to install several malicious components. These include AquaShell, a custom Python-based backdoor; AquaPurge, a tool that scrubs specific keywords from log files to hide activity; and AquaTunnel, a reverse SSH backdoor. The actors also deployed Chisel, an open-source tunneling tool, to proxy their traffic and maintain a persistent foothold within corporate networks. The exact scale of the compromise remains unknown, but the tools indicate a focus on persistent, undetected access.

In response, Cisco has provided urgent guidance for organizations using these email security products. The company emphasizes that the vulnerable Spam Quarantine feature is not enabled by default and its associated port should never be internet-facing. For any appliance identified with this exposure, Cisco strongly recommends a multi-step process to restore a secure configuration. If a device is suspected of being compromised, administrators should contact Cisco’s Technical Assistance Center (TAC) for a remote assessment. Currently, the only guaranteed method to remove the attacker’s persistence mechanisms is to completely rebuild any compromised appliance from a known-clean source.

Analysis of the attack patterns points to a state-sponsored origin. Talos assesses with moderate confidence that the activity is conducted by a Chinese-nexus threat actor tracked as UAT-9686. Researchers note overlaps in tactics, techniques, and infrastructure with other known Chinese advanced persistent threat (APT) groups. The use of tools like AquaTunnel aligns with previous operations by groups such as APT41 and UNC5174. Furthermore, the deployment of a custom web-based implant like AquaShell is a tactic increasingly adopted by highly sophisticated Chinese-nexus APTs. Independent analysis suggests the attacking infrastructure may be linked to groups previously known for targeting Cisco ASA and Citrix NetScaler devices with similar backdooring and log-disabling malware.

While a formal patch for CVE-2025-20393 is under development, immediate action is critical. Organizations must verify the configuration of their Cisco email security appliances, ensure management interfaces and the Spam Quarantine port are not internet-accessible, and follow Cisco’s restoration guidance to mitigate this serious threat.

(Source: HelpNet Security)