What vulnerability did Chinese hackers exploit in Cisco products?

Chinese hackers exploited a critical remote code execution (RCE) vulnerability, CVE-2025-20393, in Cisco's Secure Email Gateway and Secure Email and Web Manager appliances.

What is Aquashell used for in the Cisco attack?

Aquashell is a Python-based backdoor allegedly used by Chinese threat actors to maintain persistent access to compromised Cisco email security appliances.

Has Cisco released a fix for the critical email security vulnerability?

Yes, Cisco has released software updates to address the critical vulnerability and remove any persistence mechanisms installed by attackers.

Home / Technology / Chinese Hackers Exploited Cisco Flaw for Weeks

Chinese Hackers Exploited Cisco Flaw for Weeks

16 Jan

•

Summary

Cisco's critical email security flaw was exploited for weeks.
Chinese state-sponsored groups allegedly used Python backdoor.
A patch is now available, removing attacker persistence.

Chinese Hackers Exploited Cisco Flaw for Weeks

A maximum-severity vulnerability in Cisco's Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances has been addressed. This critical flaw, tracked as CVE-2025-20393, was allegedly exploited by Chinese state-sponsored threat actors since at least late November 2025, predating Cisco's mid-December 2025 disclosure. The attackers reportedly used a persistent Python-based backdoor known as Aquashell, alongside tunneling tools and a log-clearing utility.

Cisco confirmed that the exploitation allowed threat actors to gain root privileges and maintain control via a persistence mechanism. While Cisco initially offered mitigation advice, a fix was not immediately available. The company has now released software updates designed to resolve the vulnerability. These updates are crucial for removing any installed persistence mechanisms.