Cisco, SonicWall Disclose New Attacks Exploiting Zero-Day Flaws

The two vendors revealed details about the cyberattacks in separate disclosures Wednesday.

Zero-day vulnerabilities in Cisco and SonicWall products have been exploited in new cyberattack campaigns, the vendors disclosed Wednesday.

The companies shared details about the attacks, which are not related, in separate disclosures online. Fixes are available for the SonicWall vulnerability, which impacts the vendor’s SMA1000 Appliance Management Console—though as of this writing, patches were not yet available for the Cisco vulnerability.

The Cisco flaw, which is considered a maximum-severity vulnerability, has been exploited to target Cisco Secure Email Gateway systems as well as Cisco Secure Email and Web Manager, according to the company.

In a statement provided to CRN Wednesday, Cisco said that the “new cyberattack campaign [has been] targeting a limited subset of devices with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.”

The vulnerability (tracked as CVE-2025-20393) has received a severity score of 10.0 out of 10.0.

There are no workarounds available for the issue so far, according to the Cisco advisory. However, “we strongly urge customers to follow guidance in the advisory to assess any exposure and mitigate risk,” Cisco said in the statement.

“Cisco is actively investigating the issue and developing a permanent remediation,” the company said.

In a separate post Wednesday, the Cisco Talos threat research team pointed to evidence that a China-linked threat group, tracked as UAT-9686, has been detected exploiting the vulnerability.

“We have observed overlaps in tactics, techniques and procedures (TTPs), infrastructure, and victimology between UAT-9686 and other Chinese-nexus threat actors Talos tracks,” the Talos researchers wrote.

Meanwhile, the zero-day SonicWall SMA1000 vulnerability (tracked as CVE-2025-40602) has been exploited in combination with a previously disclosed flaw in attacks, according to a SonicWall advisory.

The zero-day, local privilege escalation vulnerability has received a severity score of 6.6 out of 10.0, but the previously disclosed bug is considered a critical-severity issue with a score of 9.8 out of 10.0. The previous flaw was fixed in January and is tracked as CVE-2025-23006.

In its advisory Wednesday, SonicWall said that the zero-day SMA1000 flaw “was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges.”

Patches are available as part of the SMA1000 12.4.3-03245 (platform-hotfix) and higher versions, as well as 12.5.0-02283 (platform-hotfix) and higher versions, SonicWall said.

“Customer exposure would be significantly reduced for those who had already applied the January 2025 patch for CVE-2025-23006 (CVSS 9.8), because exploiting CVE-2025-40602 requires a high-privilege local system account,” SonicWall said in a statement provided to CRN. “SonicWall strongly encourages all customers to remain current with patches and updates to ensure full protection.”