Chinese Hackers Targeting Cisco Email Gateways www.databreachtoday.com/chinese-h…
Cisco Talos, the manufacturer’s threat intel arm, said Wednesday that hackers have been exploiting since mid-November a zero-day in the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. It attributes the attacks with medium confidence to a Chinese threat actor it tracks as UAT-9686, in part because of overlap in tooling and infrastructure with other Chinese nation-state hacking groups.
The campaign exploits an improper input validation flaw tracked as CVE-2025-20393. Cisco said it became aware of the flaw on Dec. 10 and that there currently exist no workarounds to counter the attacks. If a vulnerable device’s web management console has been exposed to the internet - or if the devices were configured with a spam quarantine feature that opened up the corresponding software port - then Cisco says customers' best bet is to yank the device off the internet.
If it’s too late - if hackers have already gotten in - then “rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company said.
Talos’s assessment is that only appliances “with non-standard configurations” are being hacked.
