Multiple threat campaigns are actively targeting Cisco VPN and email services through exploitation of CVE-2025-20393. Threat actors including APT41, UAT-9686, and UNC5174 are deploying custom toolsets such as AquaShell, AquaTunnel, and ReverseSSH to establish persistent access and maintain command and control.