Cisco has confirmed that multiple email security products are being actively targeted in a real world zero day attack campaign.
In a security advisory and follow up blog post, Cisco said it detected suspicious activity on December 10 and later confirmed that exploitation likely began in late November 2025.
The attacks target Cisco AsyncOS Software used by Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The flaw allows attackers to execute system level commands and maintain long term access to compromised devices.
Table of Contents
Critical vulnerability allows full system compromise
The vulnerability is tracked as CVE-2025-20393 and has been assigned a severity score of 10 out of 10, placing it in the most serious category.
According to Cisco, the attackers used the flaw to deploy a Python based backdoor called Aquashell, which enables persistent remote control of the affected appliance.
Once inside, the attackers also deployed additional tools, including:
- AquaTunnel, a reverse SSH tunneling tool
- Chisel, used for traffic tunneling
- AquaPurge, designed to erase logs and hide activity
These tools allow attackers to maintain access, move data covertly, and reduce the chances of detection.
Links to known advanced threat groups
Based on the tooling, infrastructure, and attack patterns, Cisco believes the activity involves at least two highly capable threat groups.
These are tracked internally as APT41 and UNC5174, both of which are widely associated with China aligned cyber espionage activity.
The groups are known for abusing legitimate cloud services, breaching perimeter devices such as VPNs and firewalls, and targeting high value infrastructure for long term intelligence gathering.
CISA confirms exploitation in the wild
The vulnerability has now been added to the CISA Known Exploited Vulnerabilities catalog, confirming that it is being abused outside of controlled research environments.
US Federal Civilian Executive Branch agencies have been ordered to apply mitigations or remove affected products from service by December 24.
This action underscores the seriousness of the threat and the likelihood that additional organizations have already been compromised.
Cisco guidance and remediation steps
Cisco has urged customers to immediately secure exposed appliances and limit external access.
If a device is confirmed to be compromised, Cisco states that rebuilding the appliance is currently the only reliable way to fully remove the attackers’ persistence mechanisms.
Cisco recommends the following actions:
- Restore affected appliances to a known secure configuration
- Restrict management and service ports from public internet exposure
- Implement strong access control and network segmentation
- Contact Cisco support if compromise is suspected
“In case of confirmed compromise, rebuilding the appliances is currently the only viable option to eradicate the threat actors’ persistence mechanism,”
Cisco stated.
Why this matters
Email security gateways often sit at the center of enterprise networks and process large volumes of sensitive data.
A full system level compromise of these devices allows attackers to monitor communications, harvest credentials, and potentially pivot deeper into internal infrastructure.
Organizations running affected Cisco products should treat this issue as an immediate priority.
