Overview
- CVE-2025-20393 enables unauthenticated root-level command execution on Secure Email Gateway and Secure Email and Web Manager due to improper input validation.
- Cisco reports exploitation since at least late November and says activity was detected on December 10, attributing it with moderate confidence to China‑nexus group UAT-9686.
- Observed compromises involve non‑default setups where the Spam Quarantine feature is enabled and exposed to the internet.
- Attackers deploy a persistent AquaShell backdoor along with AquaTunnel/ReverseSSH, chisel for tunneling, and AquaPurge to clear logs.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog, directing federal agencies to apply mitigations by December 24, as Cisco publishes and blocks IOCs across its portfolio.