Hundreds of Cisco customers are vulnerable to new Chinese hacking campaign, researchers say
On Wednesday, Cisco disclosed that a faction of Chinese government-backed hackers is exploiting a critical vulnerability to target its enterprise clients using some of its most widely deployed products. The company has not specified how many of its customers have already fallen victim to these intrusions or how many might be operating vulnerable systems. Security experts now estimate that several hundred Cisco customers could potentially be affected. Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, which tracks internet-based hacking efforts, indicated that the number of exposed systems seems to be in the hundreds rather than in the thousands or tens of thousands. Shadowserver is monitoring the situation closely and notes that the attack activity appears targeted rather than widespread.
The vulnerability in question, designated as CVE-2025-20393, is a zero-day flaw, meaning it was discovered before Cisco could release a patch. Shadowserver maintains a tracking page that identifies exposed and vulnerable systems, and reports show that countries including India, Thailand, and the United States have dozens of such systems located within their borders. Censys, a cybersecurity company that observes hacking incidents globally, reports identifying 220 Cisco email gateways exposed on the internet that are susceptible to the flaw. These gateways are among the products known to harbor the vulnerability Cisco highlighted in its recent security advisory.
Cisco’s advisory states that the vulnerability affects software embedded in multiple products such as the Secure Email Gateway and the Secure Email and Web Manager. However, exploitation is feasible only if the system is accessible from the internet and has the “spam quarantine” feature activated—a configuration disabled by default. This might explain the relatively limited number of vulnerable systems detected publicly. Despite requests for comment regarding the veracity of these exposure estimates from Shadowserver and Censys, Cisco has remained silent.
A significant concern with this campaign is the absence of available patches. Cisco advises customers to wipe and restore any affected appliances to a secure state as the only way to mitigate a potential breach. Their guidance states that rebuilding compromised devices is presently the sole effective method to eliminate the persistence mechanisms employed by the threat actors. Cisco’s Talos threat intelligence division notes that this hacking operation has been ongoing since at least late November 2025, signaling a persistent and targeted espionage effort.
