Networking giant Cisco has uncovered a cyber attack potentially linked to Chinese threat actors exploiting a zero-day flaw in its software. This vulnerability, found in Cisco AsyncOS, enables attackers to execute commands with root privileges on affected systems. The attack targets the secure email gateway and web manager, with a focus on appliances featuring “Spam Quarantine” enabled.
The company identified the intrusion attempts on December 10 and has since isolated a limited number of affected devices. Cisco has not disclosed the number of impacted customers but is actively investigating the issue and working on a permanent fix. Currently, the only solution for compromised systems is a complete software rebuild to remove the persistent threat.
The vulnerability, tracked as CVE-2025-20393, involves improper input validation, allowing malicious instructions to be executed with elevated privileges. Cisco notes that a successful hack requires specific conditions, particularly around the Spam Quarantine feature.
The campaign, linked to Chinese hacking groups, has been ongoing since at least late November 2025. As part of the attack, a lightweight Python backdoor named AquaShell was deployed, capable of executing encoded commands received via unauthenticated HTTP POST requests.
