Cisco has disclosed an active hacking campaign exploiting a critical vulnerability in several of its widely used products, allowing attackers to fully take over affected devices while no security patch is currently available. The company said the activity targets specific configurations of its email security appliances and has already been observed in real-world attacks.
Products and conditions affected
In a security advisory issued on Wednesday, Cisco said it identified the campaign on December 10. The attacks target Cisco AsyncOS software running on both physical and virtual versions of Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager.
Cisco said the vulnerability affects devices that have the “Spam Quarantine” feature enabled and are reachable from the internet. The company noted that the feature is not enabled by default and does not need to be exposed externally, which limits the number of potentially affected systems.
Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that the requirement for an internet-facing management interface combined with specific features being enabled reduces the overall attack surface.
Severity and uncertainty around exposure
Despite those limitations, security researchers said the campaign poses serious risks. Kevin Beaumont, a researcher who tracks large-scale hacking activity, told TechCrunch that the situation is concerning because many large organizations use the affected products, no patch exists, and it remains unclear how long attackers may have maintained access.
Cisco has not disclosed how many customers have been compromised.
When contacted by TechCrunch, Cisco spokesperson Meredith Corley declined to answer detailed questions, saying only that the company is actively investigating the issue and working on a permanent fix.
No patch, limited mitigation options
Cisco said there is currently no patch or software update that addresses the vulnerability. As a result, the company is advising customers who confirm a compromise to wipe and rebuild the affected appliances.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” Cisco said in its advisory.
Attribution and timeline
Cisco Talos, the company’s threat intelligence unit, said the hacking activity is linked to China and overlaps with tactics used by known Chinese state-backed groups. In a blog post, Talos researchers said attackers are exploiting the vulnerability as a zero-day to install persistent backdoors on affected systems.
According to Cisco Talos, the campaign has been active “since at least late November 2025,” raising further questions about how long compromised devices may have been under attacker control.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.