China-nexus Campaign Exploits CVE-2025-20393 in Cisco Email Security Devices (Campaign)

Cisco disclosed an active exploitation campaign targeting a zero-day (CVE-2025-20393) in Cisco Secure Email Gateway and related management appliances that allows remote code execution when the Samp Quarantine feature is internet-exposed; Talos attributes the intrusions to UAT-9686 (assessed as a China-nexus state-backed actor) and observed deployment of multiple malicious tools (AquaShell, AquaPurge, AquaTunnel and Chisel) with no patch or workaround available at the time.