A new series of cyberattacks has emerged, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager products through a critical zero-day vulnerability. Organizations using Cisco products report increased concerns as attackers, identified as a Chinese threat group known as UAT-9686, exploit an unpatched software flaw. These incidents, starting from late November, have intensified anxiety about persistent backdoors and unauthorized system access, especially as the vendor has yet to provide a fix. Customers now weigh urgent mitigation strategies to protect business operations, all while facing uncertainty about the full scope of the attacks.
Earlier reports of vulnerabilities in Cisco network equipment indicated that Chinese state-linked groups like APT41 had previously targeted Cisco, often exploiting weaknesses for extended periods before discovery. Previous notification delays and the lack of immediate patching came under criticism, with discussions centering on the need for faster responses and full disclosure. Similar tactics were seen in recent attacks, again focusing on the exploitation of widely used Cisco security solutions, underlining challenges companies face in defending against well-resourced adversaries.
What Makes CVE-2025-20393 a Priority Risk?
The critical flaw, designated CVE-2025-20393, has received the highest CVSS rating of 10, indicating its potential to cause significant harm in affected environments. Attackers have gained unrestricted privileges on compromised systems, allowing for deep control and possible persistence. Cisco confirms that customer networks with publicly exposed spam quarantine features face heightened risk, emphasizing that such settings, while non-standard, are not uncommon among certain organizations.
How Are Customers and Authorities Responding?
Both Cisco and US cyber authorities are responding by urging customers to review their system configurations and follow mitigation recommendations. The Cybersecurity and Infrastructure Security Agency has added the recent zero-day to its list of known exploited vulnerabilities, signaling a need for organizations to prioritize checking and potentially isolating or rebuilding affected systems. Cisco has withheld information on the number of customers impacted, but has reiterated basic security steps as interim measures.
“We strongly encourage customers to monitor their configurations and follow our security advisories,”
a Cisco spokesperson stated.
Why Is the Spam Quarantine Feature Relevant?
The exploited vulnerability specifically targets systems with the spam quarantine feature activated and exposed to the internet—a setting not enabled by default. Investigations show attackers have focused on networks using this configuration, which allows them to access and manipulate critical infrastructure.
“Highlighting non-standard configurations isn’t the same as blaming users — it’s a relevant technical detail that helps defenders assess exploitation likelihood,”
said Douglas McKee from Rapid7, indicating that understanding these configurations is crucial for organizations under threat.
Recent events continue a pattern of aggressive targeting of major hardware and security vendors by Chinese-linked groups, who routinely search for vulnerable entry points and persist inside systems. The response showcases ongoing tension between rapid disclosure to inform users and the need to investigate breaches thoroughly before releasing details. Organizations adopting recommended hardening measures and regularly reviewing security advisories stand a better chance of detecting anomalies linked to zero-day exploitation. Learning from repeated incidents can improve resilience against future targeted attacks, especially when default and public configurations are involved.
