Have you ever wondered what happens when attackers discreetly infiltrate company security systems undetected for weeks? Discover how Cisco responded to such an infiltration by releasing a critical update to protect its customers from China-linked hackers.
The 3 must-know facts
Cisco Talos analysts detected anomalies on some client equipment, revealing unknown administrative connections. These unauthorized accesses were facilitated by a software flaw identified under the number CVE-2025-20393.
The attackers were able to infiltrate the systems without providing valid credentials, installing persistent access. They created accounts, modified system files, and integrated scripts capable of surviving reboots. This infiltration aimed to establish a stable presence rather than a temporary intrusion.
Cisco quickly responded by releasing a security update to cut off hackers’ access. However, fixing the flaw did not erase the already created accesses. Companies therefore had to check their configurations and inspect activity logs.
IT teams often discovered accounts or scheduled tasks without a clear origin, sometimes requiring a complete reinstallation of systems to restore a healthy environment.
Messaging equipment, essential to companies’ daily operations, had to be temporarily shut down for maintenance. This required careful coordination to minimize the impact on users.
This situation highlighted an organizational weakness: insufficient monitoring of intermediary equipment, often overlooked when they operate without apparent incident.
The hacking operations were attributed to the UAT-9686 group, known for its discreet and prolonged access methods, already observed in other China-related campaigns. Cisco based this attribution on technical elements such as the methods used, activity schedules, and certain infrastructures.
This group distinguished itself by its ability to exploit software vulnerabilities to gain unauthorized access to target systems, underscoring the importance for companies to maintain constant vigilance and regularly update their security systems.