Home / Technology / Chinese Hackers Exploited Cisco Flaw for Weeks
Chinese Hackers Exploited Cisco Flaw for Weeks
16 Jan
Summary
- Cisco's critical email security flaw was exploited for weeks.
- Chinese state-sponsored groups allegedly used Python backdoor.
- A patch is now available, removing attacker persistence.
A maximum-severity vulnerability in Cisco's Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances has been addressed. This critical flaw, tracked as CVE-2025-20393, was allegedly exploited by Chinese state-sponsored threat actors since at least late November 2025, predating Cisco's mid-December 2025 disclosure. The attackers reportedly used a persistent Python-based backdoor known as Aquashell, alongside tunneling tools and a log-clearing utility.
Cisco confirmed that the exploitation allowed threat actors to gain root privileges and maintain control via a persistence mechanism. While Cisco initially offered mitigation advice, a fix was not immediately available. The company has now released software updates designed to resolve the vulnerability. These updates are crucial for removing any installed persistence mechanisms.
Despite the critical nature of the vulnerability and its prolonged exploitation period of over five weeks, the full extent of the global compromise remains unknown. Cisco strongly advises affected customers to upgrade to the latest fixed software release as outlined in their updated security advisory to protect their networks.
