{"id":18172,"date":"2025-12-20T15:23:03","date_gmt":"2025-12-20T15:23:03","guid":{"rendered":"https:\/\/lite14.net\/blog\/?p=18172"},"modified":"2025-12-20T15:23:03","modified_gmt":"2025-12-20T15:23:03","slug":"cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products","status":"publish","type":"post","link":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/","title":{"rendered":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products"},"content":{"rendered":"<ul>\n<li><\/li>\n<\/ul>\n<hr \/>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_What_Cisco_Confirmed\" >\u00a0What Cisco Confirmed<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_What_the_Vulnerability_Does\" >\u00a0What the Vulnerability Does<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Whos_Behind_the_Exploits\" >\u00a0Who\u2019s Behind the Exploits<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Why_This_Is_Serious\" >\u00a0Why This Is Serious<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Email_Security_as_a_High%E2%80%91Value_Target\" >\u00a0Email Security as a High\u2011Value Target<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_What_Cisco_and_Security_Experts_Are_Advising\" >\u00a0What Cisco and Security Experts Are Advising<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Immediate_Actions\" >\u00a0Immediate Actions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Known_Exploited_Vulnerability_KEV_Listing\" >\u00a0Known Exploited Vulnerability (KEV) Listing<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Industry_and_Community_Reactions\" >\u00a0Industry and Community Reactions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Summary_of_Key_Points\" >\u00a0Summary of Key Points<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#What_Is_Happening_%E2%80%94_Active_Zero%E2%80%91Day_Exploitation\" >What Is Happening \u2014 Active Zero\u2011Day Exploitation<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#The_vulnerability\" >The vulnerability<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Case_Study_1_%E2%80%94_Targeting_Email_Security_Appliances_in_the_Wild\" >Case Study 1 \u2014 Targeting Email Security Appliances in the Wild<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#How_attackers_exploit_the_flaw\" >How attackers exploit the flaw<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Exploit_timeline\" >Exploit timeline<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Case_Study_2_%E2%80%94_Attribution_to_a_China%E2%80%91Linked_APT_Group\" >Case Study 2 \u2014 Attribution to a China\u2011Linked APT Group<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Case_Study_3_%E2%80%94_Cisco_Response_and_Mitigation_Guidance\" >Case Study 3 \u2014 Cisco Response and Mitigation Guidance<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Vendor_status\" >Vendor status<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Mitigation_steps_recommended\" >Mitigation steps recommended<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Comments_Reactions_from_Experts_and_the_Security_Community\" >Comments &amp; Reactions from Experts and the Security Community<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Security_researchers\" >\u00a0Security researchers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Industry_perspectives\" >\u00a0Industry perspectives<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#_Risk_community_consensus\" >\u00a0Risk community consensus<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#What_Makes_This_Exploit_Particularly_Dangerous\" >What Makes This Exploit Particularly Dangerous<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"_What_Cisco_Confirmed\"><\/span>\u00a0What Cisco Confirmed<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Cisco has acknowledged an actively exploited zero\u2011day vulnerability (CVE\u20112025\u201120393)<\/strong> affecting its <strong>Secure Email products<\/strong> \u2014 specifically:<\/p>\n<ul>\n<li><strong>Cisco Secure Email Gateway<\/strong><\/li>\n<li><strong>Cisco Secure Email and Web Manager<\/strong><\/li>\n<\/ul>\n<p>These products run <strong>Cisco AsyncOS software<\/strong>, and the flaw <em>is unpatched and being exploited in the wild<\/em>, meaning attackers are using it before a fix is available. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/p>\n<p><strong>Severity:<\/strong><\/p>\n<ul>\n<li>Rated <strong>10\/10 (critical)<\/strong> on the CVSS scale. (<a title=\"Cisco Secure Email Attacks: 0-Day Exploit Confirmed, No Fix Available\" href=\"https:\/\/www.forbes.com\/sites\/daveywinder\/2025\/12\/18\/cisco-secure-email-attacks-0-day-exploit-confirmed-no-fix-available\/?utm_source=chatgpt.com\">Forbes<\/a>)<\/li>\n<\/ul>\n<p><strong>Exploitation confirmed:<\/strong><\/p>\n<ul>\n<li>Cisco observed the attacks and began responding on <strong>10\u202fDecember\u202f2025<\/strong>.<\/li>\n<li>Evidence suggests exploitation has been underway since <strong>late November\u202f2025<\/strong>. (<a title=\"Cisco email security products actively targeted in zero-day campaign | TechRadar\" href=\"https:\/\/www.techradar.com\/pro\/security\/cisco-email-security-products-actively-targeted-in-zero-day-campaign?utm_source=chatgpt.com\">TechRadar<\/a>)<\/li>\n<\/ul>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_What_the_Vulnerability_Does\"><\/span>\u00a0What the Vulnerability Does<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>CVE\u20112025\u201120393<\/strong> is a <strong>critical improper input validation flaw<\/strong> in AsyncOS that allows:<\/p>\n<ul>\n<li><strong>Unauthenticated remote attackers to execute arbitrary system commands<\/strong><\/li>\n<li><strong>Gain full root\u2011level control of the appliance<\/strong><\/li>\n<li><strong>Deploy persistence mechanisms (backdoors)<\/strong><\/li>\n<\/ul>\n<p>The flaw affects both <strong>physical and virtual instances<\/strong> of the products, <em>if configured with the Spam Quarantine feature enabled and reachable from the internet<\/em>. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/p>\n<p>Once attackers gain access, they can:<\/p>\n<ul>\n<li>Install backdoors for long\u2011term access (e.g., a Python\u2011based backdoor)<\/li>\n<li>Set up secret remote tunnels<\/li>\n<li>Purge or tamper with logs to hide activity<\/li>\n<li>Pivot deeper into enterprise networks<\/li>\n<\/ul>\n<p>These kinds of attacks turn a security appliance \u2014 meant to protect organisations \u2014 into a <strong>trusted gateway for attackers<\/strong>. (<a title=\"New actively exploited CVSS 10 security vulnerability\" href=\"https:\/\/www.greenbone.net\/en\/blog\/new-actively-exploited-cvss-10-flaw\/?utm_source=chatgpt.com\">Greenbone<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_Whos_Behind_the_Exploits\"><\/span>\u00a0Who\u2019s Behind the Exploits<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Cisco\u2019s <strong>Talos threat research team<\/strong> has linked the activity with moderate confidence to a <strong>China\u2011linked advanced persistent threat (APT) group<\/strong>, tracked as <strong>UAT\u20119686<\/strong>. This group appears to share techniques and tooling with other known Chinese\u2011nexus threat actors. (<a title=\"China-linked APT UAT-9686 is targeting Cisco Secure Email Gateway and Secure Email and Web Manager\" href=\"https:\/\/securityaffairs.com\/185861\/apt\/china-linked-apt-uat-9686-is-targeting-cisco-secure-email-gateway-and-secure-email-and-web-manager.html?amp=&amp;utm_source=chatgpt.com\">Security Affairs<\/a>)<\/p>\n<p>Observed malicious tooling includes:<\/p>\n<ul>\n<li><strong>AquaShell<\/strong> \u2013 a Python\u2011based backdoor<\/li>\n<li><strong>AquaTunnel<\/strong> \u2013 reverse SSH tunnelling<\/li>\n<li><strong>AquaPurge<\/strong> \u2013 log\u2011clearing utility<\/li>\n<li><strong>Chisel<\/strong> \u2013 tunnelling\/proxy tool<br \/>\n(these components support persistence and stealth access) (<a title=\"New actively exploited CVSS 10 security vulnerability\" href=\"https:\/\/www.greenbone.net\/en\/blog\/new-actively-exploited-cvss-10-flaw\/?utm_source=chatgpt.com\">Greenbone<\/a>)<\/li>\n<\/ul>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_Why_This_Is_Serious\"><\/span>\u00a0Why This Is Serious<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"_Email_Security_as_a_High%E2%80%91Value_Target\"><\/span>\u00a0Email Security as a High\u2011Value Target<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Secure Email Gateways are central to how organisations filter, inspect, and protect email traffic. If attackers can compromise these appliances, they can:<\/p>\n<ul>\n<li>Monitor or modify incoming\/outgoing messages<\/li>\n<li>Steal credentials and sensitive data<\/li>\n<li>Move laterally within the organisation\u2019s network<\/li>\n<\/ul>\n<p>Industry analysts stress that <strong>control of email infrastructure grants broad visibility into communications and trusted access paths<\/strong>, making this more dangerous than entry through a peripheral service. (<a title=\"Cisco confirms zero-day exploitation of Secure Email products | Network World\" href=\"https:\/\/www.networkworld.com\/article\/4108547\/cisco-confirms-zero-day-exploitation-of-secure-email-products-2.html?utm_source=chatgpt.com\">Network World<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_What_Cisco_and_Security_Experts_Are_Advising\"><\/span>\u00a0What Cisco and Security Experts Are Advising<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As of <strong>mid\u2011December 2025<\/strong>, <strong>no official patch is available<\/strong> from Cisco. Cisco\u2019s current guidance and recommended mitigation steps include:<\/p>\n<h3><span class=\"ez-toc-section\" id=\"_Immediate_Actions\"><\/span>\u00a0Immediate Actions<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>Disable or remove internet exposure<\/strong> of management and <em>Spam Quarantine<\/em> interfaces<\/li>\n<li><strong>Restrict appliance access<\/strong> using firewalls and trusted IP whitelists<\/li>\n<li><strong>Segment and harden networks<\/strong> to limit exposure<\/li>\n<li><strong>Monitor logs and indicators of compromise (IoCs)<\/strong> closely<\/li>\n<li><strong>Contact Cisco Technical Assistance Center (TAC)<\/strong> if compromise is suspected<\/li>\n<\/ul>\n<p>Cisco has indicated that in <strong>confirmed compromise cases, the only reliable way to remove persistence may be to wipe and rebuild<\/strong> affected appliances from a clean image. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/p>\n<h3><span class=\"ez-toc-section\" id=\"_Known_Exploited_Vulnerability_KEV_Listing\"><\/span>\u00a0Known Exploited Vulnerability (KEV) Listing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE\u20112025\u201120393 to its <strong>Known Exploited Vulnerabilities Catalog<\/strong>, highlighting <em>active exploitation and urgent need for mitigation<\/em>. (<a title=\"NewsBites Volume XXVII \u2013 Issue 92, December 19, 2025 | SANS NewsBites\" href=\"https:\/\/www.sans.org\/newsletters\/newsbites\/xxvii-92?utm_source=chatgpt.com\">SANS Institute<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_Industry_and_Community_Reactions\"><\/span>\u00a0Industry and Community Reactions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Security analysts<\/strong> point out that the <strong>absence of a patch elevates operational risk<\/strong> for organisations using Cisco\u2019s email security stack. Because bad actors are already exploiting the flaw, patch timing, network hardening, and rebuild strategies become critical decisions. (<a title=\"Security Bulletin: RCE in Cisco Email Security Gateway\" href=\"https:\/\/www.redlegg.com\/blog\/security-bulletin-cisco-email-security-gateway?utm_source=chatgpt.com\">redlegg.com<\/a>)<\/p>\n<p><strong>Infrastructure teams and MSP communities<\/strong> on technical forums emphasise:<\/p>\n<ul>\n<li>The critical nature of <em>root\u2011level command execution<\/em> without authentication<\/li>\n<li>The persistent nature of installed malware and tunnelling tools<\/li>\n<li>The need for <em>speedy investigation, detection, and isolation<\/em> of affected systems while waiting for a vendor fix (because cleanup is non\u2011trivial) (<a title=\"Critical Cisco AsyncOS Zero Day Vulnerability - No patch yet - CVSS 10\" href=\"https:\/\/www.reddit.com\/\/r\/cybersecurityforMSP\/comments\/1ppzsy1\/critical_cisco_asyncos_zero_day_vulnerability_no\/?utm_source=chatgpt.com\">Reddit<\/a>)<\/li>\n<\/ul>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"_Summary_of_Key_Points\"><\/span>\u00a0Summary of Key Points<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><strong>Aspect<\/strong><\/th>\n<th><strong>Details<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Vulnerability<\/strong><\/td>\n<td>CVE\u20112025\u201120393 (AsyncOS input validation flaw)<\/td>\n<\/tr>\n<tr>\n<td><strong>Severity<\/strong><\/td>\n<td>CVSS 10.0 (Critical)<\/td>\n<\/tr>\n<tr>\n<td><strong>Products affected<\/strong><\/td>\n<td>Cisco Secure Email Gateway &amp; Secure Email and Web Manager<\/td>\n<\/tr>\n<tr>\n<td><strong>Exploit status<\/strong><\/td>\n<td>Confirmed active exploitation in the wild<\/td>\n<\/tr>\n<tr>\n<td><strong>Threat actors<\/strong><\/td>\n<td>China\u2011linked APT group UAT\u20119686<\/td>\n<\/tr>\n<tr>\n<td><strong>Patch availability<\/strong><\/td>\n<td><em>None yet<\/em><\/td>\n<\/tr>\n<tr>\n<td><strong>Mitigation<\/strong><\/td>\n<td>Network hardening, restrict internet exposure, disable features, rebuild compromised systems<\/td>\n<\/tr>\n<tr>\n<td><strong>Risk<\/strong><\/td>\n<td>Full system takeover, persistent backdoors, lateral network access<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><strong>What to do now:<\/strong><br \/>\nOrganisations using Cisco Secure Email products should:<\/p>\n<ol>\n<li><strong>Identify exposed appliances<\/strong> and immediately reduce internet exposure.<\/li>\n<li><strong>Apply access controls and segmentation.<\/strong><\/li>\n<li><strong>Monitor for IOC and unusual activity.<\/strong><\/li>\n<li><strong>Prepare for rebuild if compromise is confirmed.<\/strong><\/li>\n<\/ol>\n<hr \/>\n<p>Here\u2019s a <strong>case\u2011study\u2013centred breakdown with expert comments<\/strong> on the <strong>active zero\u2011day exploit Cisco has confirmed that\u2019s targeting its Secure Email products<\/strong> \u2014 including how the attacks work, real exploitation examples, and reactions from security professionals and organisations:<\/p>\n<ul>\n<li><\/li>\n<\/ul>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"What_Is_Happening_%E2%80%94_Active_Zero%E2%80%91Day_Exploitation\"><\/span><strong>What Is Happening \u2014 Active Zero\u2011Day Exploitation<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"The_vulnerability\"><\/span><strong>The vulnerability<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Cisco has confirmed that a <strong>critical, unpatched zero\u2011day vulnerability (CVE\u20112025\u201120393)<\/strong> in its <strong>AsyncOS software<\/strong> is being actively exploited in the wild. This affects:<\/p>\n<ul>\n<li><strong>Cisco Secure Email Gateway (SEG)<\/strong> (formerly Email Security Appliance)<\/li>\n<li><strong>Cisco Secure Email and Web Manager (SEWM)<\/strong><\/li>\n<\/ul>\n<p>The flaw has a <strong>CVSS score of 10.0 (critical)<\/strong> and allows attackers to <strong>execute arbitrary commands remotely with root privileges<\/strong> on affected devices if certain conditions are met. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Case_Study_1_%E2%80%94_Targeting_Email_Security_Appliances_in_the_Wild\"><\/span><strong>Case Study 1 \u2014 Targeting Email Security Appliances in the Wild<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"How_attackers_exploit_the_flaw\"><\/span><strong>How attackers exploit the flaw<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The exploit targets systems where the <strong>Spam Quarantine feature is enabled and reachable from the internet<\/strong> \u2014 a configuration that isn\u2019t enabled by default but may be present in some deployments. If both conditions are true, an unauthenticated attacker can:<\/p>\n<ul>\n<li>Execute <strong>system\u2011level commands with root access<\/strong><\/li>\n<li>Install <strong>persistent backdoors and tunnelling mechanisms<\/strong><\/li>\n<li>Pivot within networks using the compromised gateway as a trusted foothold<\/li>\n<\/ul>\n<p>Observed malicious tools include:<\/p>\n<ul>\n<li><strong>AquaShell<\/strong> \u2014 Python\u2011based backdoor<\/li>\n<li><strong>AquaTunnel<\/strong> \u2014 SSH reverse tunnel backdoor<\/li>\n<li><strong>AquaPurge<\/strong> \u2014 log\u2011clearing utility<\/li>\n<li><strong>Chisel<\/strong> \u2014 generic tunnelling\/proxy tool<\/li>\n<\/ul>\n<p>These tools give attackers <strong>deep control of the device and persistence long after initial compromise<\/strong>. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Exploit_timeline\"><\/span><strong>Exploit timeline<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Cisco <em>began seeing exploitation activity around <strong>10\u202fDecember\u202f2025<\/strong><\/em>, and evidence indicates attackers were active <strong>since at least late November\u202f2025<\/strong> before the public alert. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Case_Study_2_%E2%80%94_Attribution_to_a_China%E2%80%91Linked_APT_Group\"><\/span><strong>Case Study 2 \u2014 Attribution to a China\u2011Linked APT Group<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Cisco\u2019s Talos threat intelligence team assesses with <strong>moderate confidence<\/strong> that a <strong>China\u2011nexus advanced persistent threat (APT) group, tracked as UAT\u20119686<\/strong>, is behind the exploitation activity. This assessment is based on overlapping tactics, tooling, and infrastructure with previously observed Chinese\u2011linked operations. (<a title=\"CCN-CERT - CCN-CERT AL 11\/25 Campa\u00f1a activa contra Cisco Secure Email Gateway y Cisco Secure Email and Web Manager\" href=\"https:\/\/www.ccn-cert.cni.es\/en\/updated-security\/alertas-ccn-cert\/13121-ccn-cert-al-11-25-campana-activa-contra-cisco-secure-email-gateway-y-cisco-secure-email-and-web-manager.html?utm_source=chatgpt.com\">ccn-cert.cni.es<\/a>)<\/p>\n<p><strong>Attack pattern example:<\/strong><\/p>\n<ul>\n<li><strong>Initial access:<\/strong> exploit CVE\u20112025\u201120393 when Spam Quarantine is exposed<\/li>\n<li><strong>Persistence:<\/strong> install AquaShell backdoor<\/li>\n<li><strong>Stealth:<\/strong> use AquaPurge to erase logs<\/li>\n<li><strong>Lateral extension:<\/strong> establish tunnels using AquaTunnel<\/li>\n<\/ul>\n<p>This pattern mirrors techniques used by other well\u2011known Chinese APT groups (e.g., APT41) in separate campaigns targeting VPNs, firewalls, and other infrastructure products. (<a title=\"CCN-CERT - CCN-CERT AL 11\/25 Campa\u00f1a activa contra Cisco Secure Email Gateway y Cisco Secure Email and Web Manager\" href=\"https:\/\/www.ccn-cert.cni.es\/en\/updated-security\/alertas-ccn-cert\/13121-ccn-cert-al-11-25-campana-activa-contra-cisco-secure-email-gateway-y-cisco-secure-email-and-web-manager.html?utm_source=chatgpt.com\">ccn-cert.cni.es<\/a>)<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Case_Study_3_%E2%80%94_Cisco_Response_and_Mitigation_Guidance\"><\/span><strong>Case Study 3 \u2014 Cisco Response and Mitigation Guidance<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Vendor_status\"><\/span><strong>Vendor status<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>No patch is yet available<\/strong> from Cisco at the time of the advisory, leaving systems vulnerable if left misconfigured or exposed. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/li>\n<li>Cisco is actively investigating the campaign and working on a permanent fix, but <strong>remediation advice currently focuses on mitigation and containment<\/strong> rather than repair.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Mitigation_steps_recommended\"><\/span><strong>Mitigation steps recommended<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Security practitioners and Cisco\u2019s advisory recommend that organisations:<\/p>\n<ol>\n<li><strong>Ensure Spam Quarantine isn\u2019t exposed to the internet<\/strong> (e.g., be behind a firewall or VPN). (<a title=\"NewsBites Volume XXVII \u2013 Issue 92, December 19, 2025 | SANS NewsBites\" href=\"https:\/\/www.sans.org\/newsletters\/newsbites\/xxvii-92?utm_source=chatgpt.com\">SANS Institute<\/a>)<\/li>\n<li><strong>Disable the Spam Quarantine feature<\/strong> if feasible, or at least limit access to trusted internal networks. (<a title=\"NewsBites Volume XXVII \u2013 Issue 92, December 19, 2025 | SANS NewsBites\" href=\"https:\/\/www.sans.org\/newsletters\/newsbites\/xxvii-92?utm_source=chatgpt.com\">SANS Institute<\/a>)<\/li>\n<li><strong>Segment management interfaces<\/strong> and restrict access to known IPs only. (<a title=\"NewsBites Volume XXVII \u2013 Issue 92, December 19, 2025 | SANS NewsBites\" href=\"https:\/\/www.sans.org\/newsletters\/newsbites\/xxvii-92?utm_source=chatgpt.com\">SANS Institute<\/a>)<\/li>\n<li><strong>Monitor logs and network activity<\/strong> closely for signs of unusual commands or traffic. (<a title=\"NewsBites Volume XXVII \u2013 Issue 92, December 19, 2025 | SANS NewsBites\" href=\"https:\/\/www.sans.org\/newsletters\/newsbites\/xxvii-92?utm_source=chatgpt.com\">SANS Institute<\/a>)<\/li>\n<li>If compromise is suspected, <strong>a full rebuild of the appliance may be required<\/strong> to remove implanted persistence mechanisms. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/li>\n<\/ol>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Comments_Reactions_from_Experts_and_the_Security_Community\"><\/span><strong>Comments &amp; Reactions from Experts and the Security Community<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"_Security_researchers\"><\/span>\u00a0Security researchers<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Analysts emphasize that <strong>email security appliances sit at a critical trust boundary<\/strong> \u2014 they inspect trusted email traffic and are often allowed deep network access. If attackers own them, they can potentially intercept internal communications or broaden compromise. (<a title=\"Cisco confirms zero-day exploitation of Secure Email products | Network World\" href=\"https:\/\/www.networkworld.com\/article\/4108547\/cisco-confirms-zero-day-exploitation-of-secure-email-products-2.html?utm_source=chatgpt.com\">Network World<\/a>)<\/li>\n<li>Without a patch, many professionals cautioned organisations to <strong>assume compromise if Internet exposure occurred<\/strong>, even for a short time, because backdoors and tunnelling tools are designed for persistence. (<a title=\"Critical Cisco AsyncOS Zero Day Vulnerability - No patch yet - CVSS 10\" href=\"https:\/\/www.reddit.com\/\/r\/cybersecurityforMSP\/comments\/1ppzsy1\/critical_cisco_asyncos_zero_day_vulnerability_no\/?utm_source=chatgpt.com\">Reddit<\/a>)<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"_Industry_perspectives\"><\/span>\u00a0Industry perspectives<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>One security commentator pointed out that <strong>rebuilding an appliance is disruptive<\/strong> but sometimes necessary: a compromised security gateway can\u2019t simply be \u201ccleaned in place\u201d because attackers may have deeply embedded their tools. (<a title=\"Cisco confirms zero-day exploitation of Secure Email products | Network World\" href=\"https:\/\/www.networkworld.com\/article\/4108547\/cisco-confirms-zero-day-exploitation-of-secure-email-products-2.html?utm_source=chatgpt.com\">Network World<\/a>)<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"_Risk_community_consensus\"><\/span>\u00a0Risk community consensus<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Both security ops forums and professional threads noted:\n<ul>\n<li><strong>Active exploitation is confirmed<\/strong> \u2014 not just theoretical or potential. (<a title=\"Cisco confirms active zero-day exploitation by China-linked hackers; no patch available\" href=\"https:\/\/www.reddit.com\/\/r\/secithubcommunity\/comments\/1ppmeka\/cisco_confirms_active_zeroday_exploitation_by\/?utm_source=chatgpt.com\">Reddit<\/a>)<\/li>\n<li><strong>No quick patch is available yet<\/strong>, increasing urgency for mitigation. (<a title=\"Cisco has confirmed an active zero-day vulnerability in its Secure Email Gateway products that is being exploited in a Chinese-linked hacking campaign.\" href=\"https:\/\/www.reddit.com\/\/r\/TechNadu\/comments\/1ppm844\/cisco_has_confirmed_an_active_zeroday\/?utm_source=chatgpt.com\">Reddit<\/a>)<\/li>\n<li>The vulnerability has been <strong>added to CISA\u2019s Known Exploited Vulnerabilities catalog<\/strong>, meaning US federal agencies have legal pressure to act quickly. (<a title=\"Cisco email security products actively targeted in zero-day campaign | TechRadar\" href=\"https:\/\/www.techradar.com\/pro\/security\/cisco-email-security-products-actively-targeted-in-zero-day-campaign?utm_source=chatgpt.com\">TechRadar<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"What_Makes_This_Exploit_Particularly_Dangerous\"><\/span><strong>What Makes This Exploit Particularly Dangerous<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<table>\n<thead>\n<tr>\n<th><strong>Characteristic<\/strong><\/th>\n<th><strong>Why It Matters<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Criticality (CVSS\u202f10.0)<\/strong><\/td>\n<td>Allows root\u2011level execution without authentication. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/td>\n<\/tr>\n<tr>\n<td><strong>Active exploitation in the wild<\/strong><\/td>\n<td>Not a theoretical risk \u2014 organisations are being hit right now. (<a title=\"Cisco email security products actively targeted in zero-day campaign | TechRadar\" href=\"https:\/\/www.techradar.com\/pro\/security\/cisco-email-security-products-actively-targeted-in-zero-day-campaign?utm_source=chatgpt.com\">TechRadar<\/a>)<\/td>\n<\/tr>\n<tr>\n<td><strong>Security appliance target<\/strong><\/td>\n<td>Email gateways are trusted infrastructure \u2014 compromise opens deep network access. (<a title=\"Cisco confirms zero-day exploitation of Secure Email products | Network World\" href=\"https:\/\/www.networkworld.com\/article\/4108547\/cisco-confirms-zero-day-exploitation-of-secure-email-products-2.html?utm_source=chatgpt.com\">Network World<\/a>)<\/td>\n<\/tr>\n<tr>\n<td><strong>No patch yet<\/strong><\/td>\n<td>Mitigation is complex and relies on configuration changes. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/td>\n<\/tr>\n<tr>\n<td><strong>APT attribution<\/strong><\/td>\n<td>Tied to China\u2011nexus APT group UAT\u20119686, indicating sophisticated, persistent threat operations. (<a title=\"CCN-CERT - CCN-CERT AL 11\/25 Campa\u00f1a activa contra Cisco Secure Email Gateway y Cisco Secure Email and Web Manager\" href=\"https:\/\/www.ccn-cert.cni.es\/en\/updated-security\/alertas-ccn-cert\/13121-ccn-cert-al-11-25-campana-activa-contra-cisco-secure-email-gateway-y-cisco-secure-email-and-web-manager.html?utm_source=chatgpt.com\">ccn-cert.cni.es<\/a>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Summary\"><\/span><strong>Summary<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><strong>Cisco has confirmed<\/strong> that an <strong>unpatched zero\u2011day vulnerability (CVE\u20112025\u201120393)<\/strong> in its Secure Email products is <strong>actively being exploited<\/strong> in attacks. (<a title=\"Cisco email security products actively targeted in zero-day campaign | TechRadar\" href=\"https:\/\/www.techradar.com\/pro\/security\/cisco-email-security-products-actively-targeted-in-zero-day-campaign?utm_source=chatgpt.com\">TechRadar<\/a>)<\/li>\n<li>The attack enables <strong>unauthenticated root\u2011level command execution<\/strong> and persistent backdoors, primarily when the <strong>Spam Quarantine feature<\/strong> is exposed to the internet. (<a title=\"Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances\" href=\"https:\/\/thehackernews.com\/2025\/12\/cisco-warns-of-active-attacks.html?utm_source=chatgpt.com\">The Hacker News<\/a>)<\/li>\n<li><strong>Attackers tracked as UAT\u20119686<\/strong> \u2014 linked to a China\u2011nexus threat ecosystem \u2014 are implicated in these campaigns. (<a title=\"CCN-CERT - CCN-CERT AL 11\/25 Campa\u00f1a activa contra Cisco Secure Email Gateway y Cisco Secure Email and Web Manager\" href=\"https:\/\/www.ccn-cert.cni.es\/en\/updated-security\/alertas-ccn-cert\/13121-ccn-cert-al-11-25-campana-activa-contra-cisco-secure-email-gateway-y-cisco-secure-email-and-web-manager.html?utm_source=chatgpt.com\">ccn-cert.cni.es<\/a>)<\/li>\n<li><strong>No patch yet<\/strong> \u2014 organisations are urged to harden, isolate, and potentially rebuild compromised devices. (<a title=\"December 19 Advisory: Cisco Secure Email Gateway AsyncOS Zero-Day Exploited in the Wild [CVE-2025-20393]\" href=\"https:\/\/censys.com\/advisory\/cve-2025-20393?utm_source=chatgpt.com\">Censys<\/a>)<\/li>\n<li><strong>Industry reaction<\/strong> stresses urgency due to exploit activity, trust boundary implications, and the absence of a fix. (<a title=\"Cisco confirms zero-day exploitation of Secure Email products | Network World\" href=\"https:\/\/www.networkworld.com\/article\/4108547\/cisco-confirms-zero-day-exploitation-of-secure-email-products-2.html?utm_source=chatgpt.com\">Network World<\/a>)<\/li>\n<\/ul>\n<hr \/>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0What Cisco Confirmed Cisco has acknowledged an actively exploited zero\u2011day vulnerability (CVE\u20112025\u201120393) affecting its Secure Email products \u2014 specifically: Cisco Secure Email Gateway Cisco Secure&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[270,90],"tags":[],"class_list":["post-18172","post","type-post","status-publish","format-standard","hentry","category-digital-marketing","category-news-update"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog\" \/>\n<meta property=\"og:description\" content=\"\u00a0What Cisco Confirmed Cisco has acknowledged an actively exploited zero\u2011day vulnerability (CVE\u20112025\u201120393) affecting its Secure Email products \u2014 specifically: Cisco Secure Email Gateway Cisco Secure...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\" \/>\n<meta property=\"og:site_name\" content=\"Lite14 Tools &amp; Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-20T15:23:03+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/lite14.net\/blog\/#\/schema\/person\/551c62581e407fcec8cf1f76df97b5d2\"},\"headline\":\"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products\",\"datePublished\":\"2025-12-20T15:23:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\"},\"wordCount\":1583,\"publisher\":{\"@id\":\"https:\/\/lite14.net\/blog\/#organization\"},\"articleSection\":[\"Digital Marketing\",\"News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\",\"url\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\",\"name\":\"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog\",\"isPartOf\":{\"@id\":\"https:\/\/lite14.net\/blog\/#website\"},\"datePublished\":\"2025-12-20T15:23:03+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/lite14.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/lite14.net\/blog\/#website\",\"url\":\"https:\/\/lite14.net\/blog\/\",\"name\":\"Lite14 Tools &amp; Blog\",\"description\":\"Email Marketing Tools &amp; Digital Marketing Updates\",\"publisher\":{\"@id\":\"https:\/\/lite14.net\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/lite14.net\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/lite14.net\/blog\/#organization\",\"name\":\"Lite14 Tools &amp; Blog\",\"url\":\"https:\/\/lite14.net\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/lite14.net\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/lite14.net\/blog\/wp-content\/uploads\/2025\/09\/cropped-lite-logo.png\",\"contentUrl\":\"https:\/\/lite14.net\/blog\/wp-content\/uploads\/2025\/09\/cropped-lite-logo.png\",\"width\":191,\"height\":178,\"caption\":\"Lite14 Tools &amp; Blog\"},\"image\":{\"@id\":\"https:\/\/lite14.net\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/lite14.net\/blog\/#\/schema\/person\/551c62581e407fcec8cf1f76df97b5d2\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/lite14.net\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37de671670ea9023731c3f3ef83c84b6d7d6faeffecd87fb98e3ec10aecc15bd?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37de671670ea9023731c3f3ef83c84b6d7d6faeffecd87fb98e3ec10aecc15bd?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/lite14.net\/blog\"],\"url\":\"https:\/\/lite14.net\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/","og_locale":"en_US","og_type":"article","og_title":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog","og_description":"\u00a0What Cisco Confirmed Cisco has acknowledged an actively exploited zero\u2011day vulnerability (CVE\u20112025\u201120393) affecting its Secure Email products \u2014 specifically: Cisco Secure Email Gateway Cisco Secure...","og_url":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/","og_site_name":"Lite14 Tools &amp; Blog","article_published_time":"2025-12-20T15:23:03+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#article","isPartOf":{"@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/"},"author":{"name":"admin","@id":"https:\/\/lite14.net\/blog\/#\/schema\/person\/551c62581e407fcec8cf1f76df97b5d2"},"headline":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products","datePublished":"2025-12-20T15:23:03+00:00","mainEntityOfPage":{"@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/"},"wordCount":1583,"publisher":{"@id":"https:\/\/lite14.net\/blog\/#organization"},"articleSection":["Digital Marketing","News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/","url":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/","name":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products - Lite14 Tools &amp; Blog","isPartOf":{"@id":"https:\/\/lite14.net\/blog\/#website"},"datePublished":"2025-12-20T15:23:03+00:00","breadcrumb":{"@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/lite14.net\/blog\/2025\/12\/20\/cisco-confirms-active-zero-day-exploitation-targeting-secure-email-products\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/lite14.net\/blog\/"},{"@type":"ListItem","position":2,"name":"Cisco Confirms Active Zero-Day Exploitation Targeting Secure Email Products"}]},{"@type":"WebSite","@id":"https:\/\/lite14.net\/blog\/#website","url":"https:\/\/lite14.net\/blog\/","name":"Lite14 Tools &amp; Blog","description":"Email Marketing Tools &amp; Digital Marketing Updates","publisher":{"@id":"https:\/\/lite14.net\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/lite14.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/lite14.net\/blog\/#organization","name":"Lite14 Tools &amp; Blog","url":"https:\/\/lite14.net\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/lite14.net\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/lite14.net\/blog\/wp-content\/uploads\/2025\/09\/cropped-lite-logo.png","contentUrl":"https:\/\/lite14.net\/blog\/wp-content\/uploads\/2025\/09\/cropped-lite-logo.png","width":191,"height":178,"caption":"Lite14 Tools &amp; Blog"},"image":{"@id":"https:\/\/lite14.net\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/lite14.net\/blog\/#\/schema\/person\/551c62581e407fcec8cf1f76df97b5d2","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/lite14.net\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37de671670ea9023731c3f3ef83c84b6d7d6faeffecd87fb98e3ec10aecc15bd?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37de671670ea9023731c3f3ef83c84b6d7d6faeffecd87fb98e3ec10aecc15bd?s=96&d=mm&r=g","caption":"admin"},"sameAs":["http:\/\/lite14.net\/blog"],"url":"https:\/\/lite14.net\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/posts\/18172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/comments?post=18172"}],"version-history":[{"count":1,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/posts\/18172\/revisions"}],"predecessor-version":[{"id":18173,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/posts\/18172\/revisions\/18173"}],"wp:attachment":[{"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/media?parent=18172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/categories?post=18172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lite14.net\/blog\/wp-json\/wp\/v2\/tags?post=18172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}