Cisco email security appliances rooted and backdoored via still unpatched zero-day
A suspected Chinese-nexus threat group has been compromising Cisco email security devices and planting backdoors and log-purging tools on them since at least late November 2025, Cisco Talos researchers have shared.
“Our analysis indicates that appliances with non-standard configurations (…) are what we have observed as being compromised by the attack,” they noted.
According to the accompanying advisory, the attackers exploited CVE-2025-20393, a vulnerability stemming from improper input validation, to execute arbitrary commands with root privileges on the operating system of an affected appliance – and they didn’t have to authenticate before leveraging the flaw.
This attack campaign targeted Cisco Secure Email Gateway (physical and virtual) and Cisco Secure Email and Web Manager (physical and virtual) appliances that were configured with the Spam Quarantine feature exposed to and reachable from the internet.
The attack tools
Cisco became aware of this activity on December 10, during the resolution of a Cisco Technical Assistance Center (TAC) support case.
Their subsequent investigation revealed that the attackers:
- Used the above mentioned CVE, currently without patch
- Achieved persistence on and a degree of control over the compromised appliances by installing:
- AquaShell, a custom-made Python backdoor
- AquaPurge, a tool that removes lines containing specific keywords from the log files
- AquaTunnel, a reverse SSH backdoor based on an open-source one
- Chisel, an open‑source tunneling tool used for proxying traffic
Cisco Talos researchers have shared IP addresses associated with the attack and hashes of some of the tools (though not of AquaShell).
What to do?
It is impossible to know, at this time, how many devices have been affected.
Cisco has noted that the Spam Quarantine feature is not enabled by default and that deployment guides for these products don’t require the associated port to be exposed to the internet.
The company continues to investigate the attack campaign and is likely to push out a fix for CVE-2025-20393 soon. In the meantime, they advise organizations using affected email security appliances to check whether they have enabled and configured the Spam Quarantine feature.
“If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible,” they urged.
If it’s not possible, they should contact Cisco TAC, which can check remotely whether they’ve been compromised.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company stated.
Who is behing the attacks?
“[Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks,” Cisco’s analysts shared.
“Tooling used by UAT-9686, such as AquaTunnel (aka ReverseSSH), also aligns with previously disclosed Chinese-nexus APT groups such as APT41 and UNC5174. Additionally, the tactic of using a custom-made web-based implant such as AquaShell is increasingly being adopted by highly sophisticated Chinese-nexus APTs.”
According to security researcher Kevin Beaumont, the attack IP addresses shared by Cisco might point to a Chinese APT group that previously targeted Cisco ASA devices and equipped them with a persistent backdoor and custom malware to disable logging and preventing the creation of a crash dump, and breached Citrix NetScaler ADC appliances via CVE-2025-5777 and CVE-2025-7775.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!