Full Report
Cisco has yet to release a patch for the actively exploited vulnerability, and attacks have been underway since at least late November. The post Cisco customers hit by fresh wave of zero-day attacks from China-linked APT appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UAT-9686
## Attribution & Identity
**Identification:** Advanced Persistent Threat (APT) group tracked by Cisco Talos as **UAT-9686**.
**Attribution:** China-linked APT group.
**Associated Groups:** Tooling and infrastructure consistent with other China state-sponsored groups such as **APT41** and **UNC5174**.
## Activity Summary
The threat group is actively exploiting a critical, unpatched zero-day vulnerability (CVE-2025-20393) affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances since at least late November (detected by Cisco on December 10th). This exploitation targets customer systems configured with a publicly exposed spam quarantine feature. This activity represents a "fresh wave" of attacks against Cisco product users.
## Tactics, Techniques & Procedures
- **Exploitation of Zero-Day:** Exploitation of **CVE-2025-20393**, an improper input validation vulnerability.
- **Privilege Escalation:** The vulnerability allows attackers to execute commands with **unrestricted privileges**.
- **Persistence:** Attackers implant **persistent backdoors** on compromised devices.
- **Configuration Targeting:** Exploitation requires a **non-standard configuration**—specifically, a publicly exposed spam quarantine feature (which is not enabled by default).
## Targeting
- **Sectors:** Cisco customers utilizing Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. (Sectors are implied by the product usage – likely organizations using email/web security infrastructure).
- **Geography:** Not explicitly mentioned, but attributed to a China-linked group.
- **Victims:** Cisco customers. The number impacted is unknown.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but involves tooling consistent with other Chinese threat groups.
- **Infrastructure:** Infrastructure consistent with China state-sponsored threat groups. (No specific IPs or URLs were detailed in the provided context).
## Implications
The exploitation of a CVSS 10.0 severity zero-day vulnerability in critical email/web security infrastructure allows an adversary to gain unrestricted, persistent access. The ongoing exploitation before a patch release indicates a high level of threat sophistication and operational urgency by the actor. Previous exploitation of Cisco vulnerabilities (like those linked to "ArcaneDoor") suggests a pattern of targeting perimeter network devices by China-linked entities.
## Mitigations
- Follow the guidance provided in Cisco's advisory (Talos Intelligence link: `https://blog.talosintelligence.com/uat-9686/`).
- Determine exposure by checking for the presence of exploited activity.
- Mitigate risk by **isolating or rebuilding** affected systems.
- **Configuration Check:** Ensure the spam quarantine feature is *not* publicly exposed, as exploitation relies on this non-standard configuration.
- CISA has added CVE-2025-20393 to its known exploited vulnerabilities catalog, requiring immediate defense action.