In December 2025, two unrelated threat campaigns targeted Cisco infrastructure within the same week. One involved a previously unknown zero-day vulnerability exploited by a China-linked actor. The other was a large-scale, automated credential attack against enterprise VPNs. The incidents were technically different but both focused on exposed edge systems.
Zero-day exploitation begins
By late November, attackers were already exploiting a zero-day vulnerability in Cisco email security appliances running AsyncOS. The flaw, tracked as CVE-2025-20393, affects systems where the Spam Quarantine feature is enabled and reachable from the internet. Under those conditions, attackers can escalate to root access and execute arbitrary commands on the appliance.
China-linked tooling deployed
Cisco Talos attributed the activity to a group it calls UAT-9686. The group’s tooling and infrastructure overlap with known China-linked actors including APT41 and UNC5174. After gaining access, the attackers deployed multiple payloads including the Chisel tunneling tool and a custom malware family named Aqua. The primary implant, AquaShell, is a Python backdoor embedded into existing system files and paired with log wiping and reverse SSH components to maintain control.
Cisco confirms exploitation without a patch
On December 17, Cisco publicly acknowledged the vulnerability and confirmed active exploitation. At the time of disclosure, no patch was available. Cisco instructed customers to disable or take offline exposed Spam Quarantine services while it works on a permanent fix.
Separate VPN brute-force campaign follows
One day after Cisco identified the AsyncOS campaign, a separate operation began targeting enterprise VPN infrastructure. GreyNoise observed more than 10,000 unique IP addresses generating over 1.7 million authentication attempts against Palo Alto Networks GlobalProtect VPNs in a 16-hour window. The activity then shifted to Cisco SSL VPN endpoints, with a sharp spike in attacking IPs on December 12.
Fast inventory, not persistence
Unlike the zero-day exploitation, the VPN campaign was unsophisticated and automated. Attackers followed standard login flows to brute-force or reuse weak credentials. The activity ended quickly, consistent with campaigns designed to rapidly inventory exposed systems before defenders respond. As of publication, Cisco has not released a patch for CVE-2025-20393, leaving affected systems reliant on mitigations.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What was the Cisco zero-day exploited in December
The vulnerability was CVE-2025-20393 affecting Cisco AsyncOS email security appliances with exposed Spam Quarantine services.
Who was behind the zero-day exploitation
Cisco attributed the activity to UAT-9686, a group with links to known China-aligned threat actors.
Were the VPN attacks related to the zero-day
No. The VPN brute-force campaign was separate and used credential attacks rather than software exploitation.
Which VPN products were targeted
Attackers targeted Palo Alto Networks GlobalProtect VPNs first and then Cisco SSL VPN endpoints.
Is there a patch available for the Cisco zero-day
No patch has been released. Cisco has advised mitigations while a permanent fix is developed.