Cisco has issued an urgent warning regarding a critical zero-day (CVE-2025-20393, CVSS 10.0) in its Secure Email Gateway and Web Manager products. A Chinese-nexus group, UAT-9686, is actively exploiting the flaw to deploy “AquaShell” malware, granting root-level access. Currently, no patch is available , and Cisco states rebuilding compromised devices is the only way to ensure remediation.
Business Impact
This is a catastrophic risk for large enterprises. Since the vulnerability resides in the email gateway—the very tool meant to stop threats—attackers can bypass all perimeter defenses, steal sensitive communications, and pivot into the internal network with full administrative control.
Why It Happened
The flaw targets the “Spam Quarantine” feature when exposed to the internet. While not a default setting, organizations using this configuration were targeted starting in late November 2025, allowing attackers to install persistent backdoors before detection began.
Recommended Executive Action
Audit all Cisco Secure Email appliances immediately. If “Spam Quarantine” is internet-facing, assume compromise and follow Cisco’s rebuild protocol. Restrict access to trusted hosts only and disable unnecessary services like HTTP/FTP on management interfaces.
Hashtags: #Cisco #ZeroDay #UAT9686 #China #APT #CyberSecurity #CISA #CVE202520393 #InfoSec