CISA Alert: Chinese Hackers Weaponize CVSS 10 Cisco Zero-Day & SonicWall Exploit Chains
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive adding three critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that hackers are actively weaponizing these flaws in the wild.
Topping the list is CVE-2025-20393, a zero-day vulnerability in Cisco’s Secure Email Gateway (SEG) and Web Manager (SEWM) appliances that carries a CVSS score of 10/10.
This “maximum-severity” flaw allows unauthenticated attackers to bypass all defenses and execute arbitrary commands with root privileges. The issue stems from improper input validation in the Spam Quarantine feature when it is exposed to the internet.
According to Cisco Talos, a Chinese-nexus threat group tracked as UAT-9686 is already exploiting this flaw. The group is deploying a suite of custom malware, including the AquaShell persistent backdoor and AquaPurge, a tool designed to scrub logs and hide their tracks. “We assess with moderate confidence that the adversary… is a Chinese-nexus advanced persistent threat (APT) actor,” researchers noted.
CISA also flagged a critical situation involving SonicWall SMA1000 appliances. While the advisory highlights a specific vulnerability (often linked to the management console), the real danger comes from how attackers are chaining it with a previous flaw, CVE-2025-23006.
Attackers are combining these vulnerabilities to achieve a complete system takeover. The report notes that attackers “chained this vulnerability with a critical-severity SMA1000 pre-authentication deserialization flaw… to achieve unauthenticated remote code execution with root privileges”.
This “exploit chain” turns the device into an open door for intruders. Federal agencies have been given a tight deadline of December 24, 2025, to patch this specific threat.
The third addition is a blast from the past with modern consequences. CVE-2025-59374 (CVSS 9.3) affects the ASUS Live Update client, a utility that reached End-of-Support (EOS) back in 2021.
Despite being obsolete, the software is being exploited through a sophisticated “supply chain compromise.” Unauthorized modifications introduced into the update client allow attackers to force devices to “perform unintended actions” if they meet specific targeting conditions. Because the software is no longer supported, it represents a “zombie” risk—unpatched and lurking on older systems.
Related Posts:
- Akira Ransomware Exploits SonicWall VPN Accounts With Lightning-Fast Intrusions
- CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
- CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
- CISA Adds Seven New Vulnerabilities in Known Exploited Vulnerabilities Catalog
- Five Security Vulnerabilities Added to CISA’s KEV Catalog
Donate