Cisco says Chinese hackers are exploiting its customers with a new zero-day

Cisco has issued a grave warning regarding a newly identified critical vulnerability affecting several of its widely-used products. This flaw allows hackers to completely seize control of the impacted devices, and alarmingly, there are no available patches to address the issue at this time. In a security advisory released on Wednesday, the company disclosed that a hacking campaign had been initiated on December 10, targeting its Cisco AsyncOS software. Specifically, the campaign is focused on Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances. The vulnerability affects devices that have the 'Spam Quarantine' feature enabled, which, while not active by default, is accessible from the internet. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, noted that the requirement for an internet-facing management interface and certain enabled features may help to limit the attack surface related to this vulnerability. However, Kevin Beaumont, a security researcher monitoring hacking activities, expressed concern about the implications of this campaign. He emphasized that many large organizations utilize these affected products, and without patches available, the scope of the threat is particularly concerning. The duration for which hackers may have had backdoor access to the systems remains uncertain. Currently, Cisco has not disclosed the number of customers impacted by this vulnerability. When approached for further details, a Cisco spokesperson stated that the company is actively investigating the situation and working on a permanent solution. For now, Cisco's recommended course of action for affected customers is to wipe and rebuild the software on their products, as no patches exist. The advisory indicated that in cases of confirmed compromise, rebuilding the appliances is the only effective way to eliminate any persistent threats. According to Cisco Talos, the company’s threat intelligence team, the hackers exploiting this vulnerability are linked to China and other known government-linked hacking groups. Their research reveals that this campaign has been active since at least late November 2025, taking full advantage of the zero-day vulnerability to establish persistent backdoors in the affected systems.