Hundreds of Cisco customers are vulnerable to new Chinese hacking campaign, researchers say

On Wednesday, Cisco reported that a group of hackers believed to be supported by the Chinese government is exploiting a vulnerability to target enterprise customers using some of the company’s widely-used products. Although Cisco has not disclosed how many customers may have been compromised or are operating vulnerable systems, security experts warn that potentially hundreds of Cisco clients could be at risk. Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, which monitors internet hacking activities, informed TechCrunch that the extent of the exposure appears to be in the hundreds, rather than thousands. Kijewski noted that current attacks seem to be highly targeted, which may explain why widespread activity has not been observed. Shadowserver is actively tracking the number of systems vulnerable to a flaw identified as CVE-2025-20393, classified as a zero-day vulnerability since it was uncovered before Cisco could issue patches. As of the latest updates, countries including India, Thailand, and the United States have reported dozens of affected systems. Censys, another cybersecurity firm, has also identified a limited number of vulnerable Cisco customers, noting 220 internet-exposed Cisco email gateways among the compromised products. Cisco's recent security advisory highlighted that the vulnerability affects software in multiple products, including the Secure Email Gateway and Secure Email and Web Manager. These systems are vulnerable only if they are accessible from the internet and have the “spam quarantine” feature enabled—conditions that are not set by default, which could account for the seemingly low number of vulnerable systems online. Despite the alarming situation, Cisco has not confirmed the figures reported by Shadowserver and Censys. The pressing issue is the lack of available patches. To mitigate the risks, Cisco advises affected customers to wipe and restore compromised appliances to a secure state. The company emphasized that in cases of confirmed breaches, rebuilding the appliances is currently the sole effective method to eliminate the threat actors' mechanisms. According to Cisco’s threat intelligence unit, Talos, this hacking campaign has been active since at least late November 2025, raising concerns about the ongoing nature of the threat.