Cisco Zero-Day Exploit: Chinese Hackers Targeting Customers

Cisco Products Targeted by Critical Vulnerability

Cisco revealed on Wednesday that a significant security flaw is being actively exploited by malicious actors. This vulnerability grants complete control over compromised devices, and crucially, no immediate software updates are available to address the issue.

Details of the Security Advisory

A security notification from Cisco details the discovery of a hacking operation initiated on December 10th. The campaign specifically targets devices running Cisco AsyncOS software, including the Cisco Secure Email Gateway, Cisco Secure Email, and Cisco Secure Web Manager – both in their physical and virtual appliance forms.

The advisory clarifies that systems affected by this vulnerability have the “Spam Quarantine” feature activated and are accessible from the public internet.

Attack Surface Considerations

Cisco points out that the “Spam Quarantine” feature isn't enabled by default and doesn’t require internet exposure. This offers a potential mitigating factor. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, explained to TechCrunch that the need for an internet-facing management interface and specific feature enablement will restrict the scope of this vulnerability.

Severity of the Campaign

However, Kevin Beaumont, a security researcher focused on tracking hacking activities, conveyed to TechCrunch that this represents a particularly serious situation. Many large organizations utilize the impacted products, patches are currently unavailable, and the duration of the hackers’ presence within affected systems remains uncertain.

Currently, Cisco has not disclosed the number of customers impacted by this vulnerability.

Cisco's Response

When contacted by TechCrunch, Cisco spokesperson Meredith Corley declined to respond to direct inquiries. Instead, she stated that the company is actively investigating the problem and working towards a lasting solution.

Recommended Remediation

Given the lack of a patch, Cisco’s current recommendation to customers is a complete reinstallation of the affected products’ software. This is considered the only effective method to eliminate the threat actors’ persistent access.

“In the event of a confirmed compromise, rebuilding the appliances is, at present, the sole viable option to remove the threat actors’ persistence mechanism from the appliance,” the company stated.

Attribution and Timeline

According to Cisco Talos, the company’s threat intelligence division, the hackers behind this campaign are associated with China and other groups known to be linked to the Chinese government. Their findings were published in a blog post detailing the hacking operation.

Researchers indicate that the attackers are exploiting a zero-day vulnerability to establish persistent backdoors. This campaign has been underway “since at least late November 2025.”