Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday.
Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.
Cisco declined to answer questions about how many customers have been impacted. The company encouraged customers to follow guidance in its advisory to determine if they’re exposed and take steps to mitigate risk, including isolating or rebuilding affecting systems.
The spam quarantine feature, which must be on and publicly exposed for attackers to exploit the vulnerability, is not enabled by default, Cisco said. The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Thursday.
“Highlighting non-standard configurations isn’t the same as blaming users — it’s a relevant technical detail that helps defenders assess exploitation likelihood,” Douglas McKee, directly of vulnerability intelligence at Rapid7, told CyberScoop.
“The core issue doesn’t change,” he added. “The software fails under certain conditions, and that’s on the vendor to fix. Secure design means accounting for edge cases, even when it’s hard, and not shifting responsibility when they’re exploited.”
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said the non-standard configurations that trigger the defect is an indication attacks are targeting specific users. Yet, he added, it’s unknown how many Cisco customers have enabled the spam quarantine feature and exposed it to the internet.
Chinese threat groups have consistently exploited Cisco vulnerabilities. The latest attacks follow a widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls.
Federal cyber authorities issued an emergency directive in September about the attacks, which impacted multiple government agencies in May. CISA and Cisco did not at that time fully explain why they waited four months from initial response to the attacks to disclose the malicious activity, patch the zero-days and issue the emergency directive.
A spokesperson for Cisco said there’s no evidence the recent attacks are connected to the attacks earlier this year. Cisco attributed the previous attacks to the same threat group behind an early 2024 campaign targeting Cisco devices, which it dubbed “ArcaneDoor.”