Cisco customers are dealing with a double whammy of security threats this week, as Chinese state-sponsored hackers exploit a critical zero-day vulnerability in email security products while separate attackers launch massive brute force campaigns against VPN infrastructure. The situation is, frankly, a mess.
The main event involves a vulnerability that security researchers are calling particularly nasty. Tracked as CVE-2025-20393, this flaw in Cisco's AsyncOS software carries the maximum CVSS severity score of 10.0 and gives attackers root-level access to compromised systems. According to Cisco's security advisory published on December 17, the company first detected the attack campaign on December 10, though evidence suggests exploitation began in late November.
Here's the kicker: the vulnerability only affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances when they have the Spam Quarantine feature enabled and exposed to the internet. While that configuration isn't the default setup - and Cisco's deployment guides specifically warn against internet exposure - organizations that have enabled it face a serious problem. There's currently no patch available.
Cisco Talos, the company's threat intelligence division, attributes the campaign to a threat actor they're tracking as UAT-9686. The researchers assess with moderate confidence that this is a Chinese-nexus advanced persistent threat group, noting that their tooling and infrastructure overlap with known Chinese groups like APT41 and UNC5174. These aren't script kiddies - they're sophisticated state-sponsored operators.
The AquaShell Backdoor and Friends
What makes this campaign particularly concerning is the malware toolkit deployed. The attackers are using a Python-based backdoor called AquaShell that provides persistent access to compromised systems. But they didn't stop there. The toolkit includes AquaTunnel for establishing reverse SSH connections, Chisel for traffic proxying (which lets attackers pivot into internal networks), and AquaPurge for removing traces from log files.
Security researcher Kevin Beaumont described the campaign as "particularly problematic given that many large organizations use the affected products." And he's right - these aren't niche products. Cisco's email security appliances are deployed across enterprise and government networks globally.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog, giving federal agencies until December 24 to address the threat. But here's the rub: without available patches, agencies face limited options beyond implementing Cisco's recommended hardening measures.
Cisco's guidance is blunt. "Rebuilding the appliances is, currently, the only viable option to eradicate the threat actors' persistence mechanism from the appliance," the company states in its advisory. For organizations that can't immediately wipe and rebuild, Cisco recommends restricting appliance access to trusted hosts, deploying firewalls, separating mail and management functionality onto different network interfaces, and disabling unnecessary network services including HTTP and FTP.
Meanwhile, VPNs Are Getting Hammered
As if the zero-day exploitation wasn't enough, Cisco and Palo Alto Networks VPNs are facing a separate, massive brute force attack campaign. According to GreyNoise researchers, an army of more than 10,000 unique IP addresses began systematically attacking Palo Alto GlobalProtect VPNs just one day after Cisco discovered the email gateway campaign.
In a 16-hour period, this automated malicious campaign generated more than 1.7 million authentication sessions, mostly concentrated against organizations in the United States, Mexico, and Pakistan. The next day, the same campaign shifted to Cisco VPNs, with GreyNoise observing a sixfold increase in IPs attacking Cisco endpoints on December 12 alone.
Noah Stone, GreyNoise Intelligence's head of content, explains that brief, high-volume campaigns like this "are often used to quickly inventory exposed or weakly protected systems before defenders notice and respond. Moving fast also reduces the risk of credentials being rotated or access controls changing, and allows attackers to identify viable targets efficiently before shifting infrastructure or tactics."
The attacks followed standard SSL VPN login flows to brute force VPNs protected by likely weak or already compromised credentials. Then, just as quickly as it started, the campaign ended.
The Detection Gap and Community Response
With no patch available for the email gateway vulnerability, the security community has stepped up. A GitHub user named StasonJatham released a Python script called "Cisco SMA Exposure Check" that helps organizations quickly identify exposure to CVE-2025-20393. The tool scans for open ports and services that have been exploited in recent attacks, performing HTTP/S fingerprinting and checking common paths like /quarantine, /spamquarantine, and /login.
The script also flags indicators of active exploitation, including strings like "AquaShell," "AquaTunnel," "Chisel," and "AquaPurge" - the hallmarks of the post-compromise tools observed in the wild. Requiring only Python 3's standard library, the tool runs in seconds and can help security teams identify vulnerable configurations without commercial scanners.
This isn't Cisco's first rodeo with Chinese threat actors. Earlier this year, the company dealt with the "ArcaneDoor" campaign targeting Cisco devices. A Cisco spokesperson confirmed there's no evidence connecting the recent attacks to those earlier incidents, but the pattern is concerning.
Douglas McKee, director of vulnerability intelligence at Rapid7, offers some perspective: "Highlighting non-standard configurations isn't the same as blaming users - it's a relevant technical detail that helps defenders assess exploitation likelihood. The core issue doesn't change. The software fails under certain conditions, and that's on the vendor to fix. Secure design means accounting for edge cases, even when it's hard, and not shifting responsibility when they're exploited."
For organizations using affected products, the recommendations are clear but challenging. GreyNoise suggests diligently auditing edge devices and enforcing strong passwords and multifactor authentication. But as Stone admits, "the controls themselves are straightforward, but VPNs are business-critical systems, and operational complexity, legacy configurations, and fear of disrupting users often delay changes."
As we approach the end of 2025, these dual campaigns serve as a stark reminder that enterprise security requires constant vigilance. Whether it's sophisticated state-sponsored actors exploiting zero-days or automated brute force attacks probing for weak credentials, the threat landscape remains dynamic and challenging. For Cisco customers, the immediate priority is checking those Spam Quarantine configurations and preparing for some potentially disruptive remediation work.
