In what’s shaping up to be one of the most unsettling cybersecurity sagas of the year, networking giant Cisco has confirmed that China-linked hackers are actively exploiting a critical unpatched zero-day flaw in its widely used email and security gear, and the cyber storm shows few signs of slowing.
The vulnerability, tracked as CVE-2025-20393, hits Cisco’s AsyncOS software powering Secure Email Gateway and Secure Email and Web Manager appliances systems that sit at the heart of many organizations’ email defenses. With a maximum severity score (10.0) and no official patch yet available, attackers have been probing and compromising vulnerable machines since at least late November.
Security researchers, including Cisco’s own Talos team, say the threat actor behind these incursions is a China-nexus advanced persistent group known as UAT-9686. To maintain access, the intruders are reportedly planting persistent backdoors and stealthy tooling, sometimes even purging system logs to cover their tracks.
What makes this campaign particularly disconcerting is the stealth and scope: attackers are not just knocking on doors, they are slipping inside and staying put, often without organizations noticing. And because the vulnerability exploits relatively common email appliance configurations, it potentially affects a broad swath of enterprises and government agencies worldwide.
Cisco is urging customers to take a hard look at how exposed their systems really are especially features like Spam Quarantine, which can unintentionally open the door wider for attackers if left accessible online. And for organizations that discover they’ve already been breached, the advice is blunt: sometimes the only clean way out is to wipe the device and rebuild it from scratch.
For the broader cybersecurity world, this incident is yet another wake-up call. Zero-day flaws particularly those leveraged by state-linked groups aren’t rare shocks anymore; they’re becoming a regular part of the threat landscape. The message to defenders is clear: patch fast, tighten everything you can, and operate under the assumption that attackers will test your systems again sooner rather than later.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
