China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear

The critical zero-day is tracked as CVE-2025-20393 and it impacts Secure Email Gateway and Secure Email and Web Manager appliances.

Cisco on Wednesday warned customers that a China-linked threat group has been observed exploiting a new zero-day affecting some of its security products.

The vulnerability, tracked as CVE-2025-20393 and classified as having critical severity, impacts appliances running Cisco AsyncOS software for Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA).

The zero-day can be exploited to execute arbitrary commands on the underlying operating system with root privileges.

The exploitation of CVE-2025-20393 was discovered by Cisco’s own Talos security experts. The attacks have been aimed at “a limited subset of appliances with certain ports open to the internet”.

Cisco Talos has attributed the attacks to a threat actor tracked as UAT-9686, which it believes, with moderate confidence based on the tools and infrastructure it uses ...