Alerts

Cisco Zero-Day RCE in Secure Email Gateway Actively Exploited by China-Linked Threat Actor

Zero Day Wire

2 min read
Share
Cisco Zero-Day RCE in Secure Email Gateway Actively Exploited by China-Linked Threat Actor

Cisco has confirmed active exploitation of a critical zero-day vulnerability in its Secure Email Gateway and Secure Email and Web Manager appliances.

Tracked as CVE-2025-20393, the flaw carries a maximum CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary commands with root privileges via crafted HTTP requests.

Vulnerability Details

The vulnerability exists in the Spam Quarantine feature of Cisco AsyncOS Software due to insufficient validation of HTTP requests. Exploitation targets appliances where Spam Quarantine is enabled and exposed to the internet on port 6025 - a configuration not enabled by default.

CVE IDCVSS ScoreCWEBug IDs
CVE-2025-2039310.0CWE-20 (Improper Input Validation)CSCws36549, CSCws52505

Cisco became aware of active attacks on December 10, 2025, with evidence of exploitation dating back to November 2025.

Threat Actor Attribution

Cisco Talos attributes the campaign to UAT-9686, a China-nexus APT group with tooling overlaps to APT41 and UNC5174.

The attackers deploy custom malware including:

  • AquaShell - Python-based backdoor for persistent remote access
  • AquaTunnel - Reverse SSH tunneling for internal pivoting
  • Chisel - Additional tunneling capability
  • AquaPurge - Log wiping tool for detection evasion

Targets include telecommunications and critical infrastructure sectors, with post-exploitation focused on espionage rather than ransomware.

CISA Response

CISA added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog on December 17, 2025, mandating federal agencies to patch by December 24, 2025.

No public proof-of-concept exists, but automated scanning activity has increased.

Affected Products and Patches

Cisco Secure Email Gateway:

Vulnerable VersionFixed Release
14.2 and earlier15.0.5-016
15.015.0.5-016
15.515.5.4-012
16.016.0.4-016

Cisco Secure Email and Web Manager:

Vulnerable VersionFixed Release
15.0 and earlier15.0.2-007
15.515.5.4-007
16.016.0.4-010

No workarounds exist. Administrators should upgrade immediately.

Recommendations

  • Verify Spam Quarantine status via web interface under Network > IP Interfaces
  • Firewall management interfaces from internet exposure
  • Separate mail and management interfaces
  • Disable unnecessary services (HTTP/FTP)
  • Monitor logs externally
  • Contact Cisco TAC for compromise assessment

Cisco Secure Email Cloud services are not affected.

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire