Cisco announced on Wednesday that hackers are exploiting a critical zero-day vulnerability in several of its popular products, enabling full takeover of affected devices. No patches are currently available.
The company disclosed the hacking campaign in a security advisory, stating it discovered the activity on December 10. The attacks target Cisco AsyncOS software used in physical and virtual appliances, including Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. Vulnerable devices have the “Spam Quarantine” feature enabled and are accessible from the internet. Cisco noted that this feature is not enabled by default and does not require internet exposure.
Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.”
Kevin Beaumont, a security researcher who tracks hacking campaigns, described the situation to TechCrunch as particularly problematic. He pointed out that many large organizations use the affected products, no patches exist, and the duration of the hackers’ backdoors in compromised systems remains unclear. Cisco has not disclosed the number of affected customers.
Cisco spokesperson Meredith Corley told TechCrunch that the company “is actively investigating the issue and developing a permanent remediation.” She did not respond to additional questions. In the advisory, Cisco recommends wiping and rebuilding affected appliances as the only current option to remove the threat actors’ persistence mechanisms. The advisory states: “In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.”
Cisco Talos, the company’s threat intelligence team, linked the hackers to China and known Chinese government hacking groups in a blog post. Talos reported that the actors are using the zero-day vulnerability to install persistent backdoors. The campaign has been active since at least late November 2025.
