UAT-9686 exploited the bug to deploy the AquaShell backdoor on Cisco appliances with certain ports open to the internet.
January 16, 2026 By Ionut Arghire
Cisco on Thursday announced patches for a vulnerability in Secure Email Gateway (formerly ESA) and Secure Email and Web Manager (formerly Content SMA) that has been exploited in attacks.
Tracked as CVE-2025-20393 (CVSS score of 10/10), the security defect was disclosed on December 17, one week after Cisco’s Talos researchers observed its in-the-wild exploitation as a zero-day.
“This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time.
The company said the attacks targeted only a small set of appliances, and attributed the campaign to UAT-9686, a China-linked APT.
On Thursday, Cisco updated its advisory to provide information on the flaw, the affected products, and the available patches.