Chinese Hackers Targeting Cisco Email Gateways

Cisco Talos Attributes Campaign to UAT-9686 Akshaya Asokan (asokan_akshaya) • December 18, 2025

Likely Chinese nation-state hackers are exploiting an unpatched flaw in Cisco email appliances as part of an ongoing campaign to gain persistent access.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

Cisco Talos, the manufacturer's threat intel arm, said Wednesday that hackers have been exploiting since mid-November a zero-day in the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. It attributes the attacks with medium confidence to a Chinese threat actor it tracks as UAT-9686, in part because of overlap in tooling and infrastructure with other Chinese nation-state hacking groups.

The campaign exploits an improper input validation flaw tracked as CVE-2025-20393. Cisco said it became aware of the flaw on Dec. 10 and that there currently exist no workarounds to counter the attacks. If a ...