Cisco Secure Email Gateway Under Active Attack

The entry point is not the default build. It is a specific setup where Spam Quarantine is enabled and made reachable from the internet, which Cisco and defenders have repeatedly warned against. 

Once the attackers get in, Cisco reports they can run arbitrary commands with root-level privileges and then install a persistent backdoor named AquaShell, plus tunneling and log-wiping tooling to keep access and reduce evidence. 

The situation in plain English

A security appliance that is supposed to protect email was exposed with a dangerous feature reachable from the internet. 

Attackers used that exposure to gain system-level control of the appliance. 

They installed AquaShell to maintain remote control, used tunneling to stay connected, and cleared logs to hide. 

The issue is tracked as CVE-2025-20393 with a CVSS 10.0 (Critical) rating and is listed as exploited in the wild with an associated KEV due date of December 24, 2025.

What happened

Cisco Talos says the campaign was active since at least late November 2025, and Cisco became aware on December 10, 2025. The observed compromises align with non-standard configurations described in Cisco guidance, not default deployments.

The attacker toolkit observed includes:

AquaShell (Python backdoor)

AquaTunnel (reverse SSH tunnel) and chisel (tunneling)

AquaPurge (log-clearing)

Why this matters to defenders

1) Security appliances sit on the trust boundary

Email security gateways and centralized managers are positioned where they can see, route, and influence sensitive traffic and policy. A compromise here is not a single-host incident. It can become a durable foothold for deeper access.

2) “Misconfiguration” is a top-tier attack vector

This incident is a clean example of why patching alone is not enough. A product can be “up” and still be dangerously exposed because of one operational decision that turned an internal feature into an internet-facing service.

3) Root-level access plus persistence changes the response plan

Cisco-linked guidance summarized by MS-ISAC notes that if compromise is confirmed, rebuilding the appliance is currently the only viable way to eradicate persistence. That is disruptive by design, which is why prevention and early detection matter.

What to do now

Identify exposure

Confirm whether your environment uses Cisco Secure Email Gateway or Secure Email and Web Manager on AsyncOS.

Verify whether Spam Quarantine is enabled and whether its interface is reachable from the internet. 

Remove internet reachability immediately

Restore to a secure configuration and ensure the Spam Quarantine interface is not exposed to untrusted networks. 

Hunt for compromise indicators

Look for unexpected outbound connections from the appliance, unusual tunnels, abnormal web/UI file changes, and signs of log manipulation consistent with the tooling described by Talos. 

Treat confirmed compromise as a rebuild event

Engage vendor support and plan for rebuild if compromise is confirmed, since persistence has been observed. 

Institutionalize configuration risk controls

Put internet-facing configuration changes behind change control, periodic review, and continuous monitoring so “one checkbox” cannot become “root access.”

InfoSight perspective: the real lesson

This is not just a Cisco story. It is an operational security story.

Modern intrusions keep exploiting the same gap: organizations manage vulnerabilities like a monthly hygiene task, while configuration drift and exposed services change daily. When that drift happens on edge and security appliances, the blast radius grows fast.

The fix is disciplined execution:

continuous external attack-surface checks

hard baselines for internet-facing systems

rapid validation after any configuration change

24x7 monitoring for abnormal access patterns and persistence behaviors

How InfoSight applies this in client environments

Exposure validation: confirm whether high-risk interfaces are internet reachable and lock them down fast

Vulnerability and configuration governance: translate vendor guidance into enforceable controls and recurring checks

Threat monitoring and response: detect tunneling, persistence artifacts, and log tampering indicators early

Proof for auditors and insurers: document the configuration state, remediation actions, and ongoing monitoring evidence for defensible compliance

Source