Cisco has disclosed active exploitation of a previously unknown, critical zero-day vulnerability affecting select Cisco security appliances. The flaw enables unauthenticated attackers to execute commands with root-level privileges, posing a serious risk to impacted environments.

The vulnerability, tracked as CVE-2025-20393, is already being leveraged in targeted attacks attributed to a suspected Chinese state-sponsored threat actor. At the time of disclosure, no patch or workaround is available.

Cisco security appliances such as Secure Email Gateway (SEG) and Secure Email and Web Manager (formerly ESA and Content SMA) are widely deployed at the network edge to protect enterprise email and web traffic.

Because these systems often sit in front of sensitive internal infrastructure and maintain elevated privileges, vulnerabilities in them are especially attractive to advanced threat actors seeking long-term access or lateral movement opportunities.

Cisco Talos discovered active exploitation of CVE-2025-20393 during internal investigations.

The attacks have targeted a limited subset of appliances exposed to the internet with specific ports enabled. Cisco believes exploitation began in late November, with detection occurring on December 10.

Talos attributes the activity to a threat actor it tracks as UAT-9686, which it assesses with moderate confidence to be a China-linked advanced persistent threat (APT) group based on tooling, tradecraft, and infrastructure.

CVE-2025-20393 affects Cisco appliances running AsyncOS for Secure Email Gateway and Secure Email and Web Manager.

The vulnerability allows attackers to execute arbitrary commands on the underlying operating system with root privileges, effectively granting full control of the device.

Once access is gained, attackers deploy multiple tools, including:

Talos noted that Chisel enables attackers to proxy traffic through compromised edge devices, facilitating deeper intrusion into enterprise environments.

Successful exploitation allows attackers to fully compromise affected Cisco security appliances.

Because these systems often manage or inspect trusted traffic, attackers may use them as stealthy entry points for surveillance, credential harvesting, or lateral movement.

The lack of an available patch significantly increases operational risk, particularly for organizations with exposed appliances.

This incident highlights the growing focus of state-aligned threat actors on network security infrastructure rather than traditional endpoints.

Edge devices with high privileges and broad visibility are increasingly being used as durable footholds for espionage and long-term access campaigns.

The addition of CVE-2025-20393 to CISA’s Known Exploited Vulnerabilities catalog underscores the severity and urgency of the threat.

Cisco Talos emphasized that attackers leveraged post-exploitation tooling specifically designed to maintain access while minimizing forensic traces.

The observed tradecraft aligns with broader trends in state-sponsored operations, where edge infrastructure is abused to bypass traditional detection controls and blend into normal network traffic.