Cisco has confirmed that a group of hackers linked to the Chinese government is actively exploiting a previously unknown vulnerability to compromise enterprise customers using some of its most widely deployed security products.
While Cisco has not disclosed how many organizations have already been breached or are still at risk, independent researchers say the number of potentially affected customers is in the hundreds.
According to Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, which monitors large-scale internet threats, the exposure “appears to be in the hundreds rather than thousands or tens of thousands.” Shadowserver is currently tracking systems affected by the flaw, officially identified as CVE-2025-20393.
The vulnerability is classified as a zero-day, meaning attackers discovered and exploited it before Cisco was able to release a fix. So far, Shadowserver data shows dozens of exposed systems in countries including India, Thailand, and the United States. Kijewski noted that activity remains relatively limited, likely because the attacks are highly targeted rather than opportunistic.
Similar findings have been reported by Censys, a cybersecurity firm that scans internet-connected infrastructure. In a recent blog post, Censys said it identified 220 internet-exposed Cisco email gateways affected by the flaw. These gateways are among the products confirmed to be vulnerable.
In a security advisory published earlier this week, Cisco stated that the issue impacts software used in products such as Secure Email Gateway and Secure Email and Web Manager. The company emphasized that systems are only vulnerable if they are directly reachable from the internet and have the “spam quarantine” feature enabled. Neither setting is enabled by default, which may explain the relatively limited number of exposed systems.
Cisco has not responded to requests for comment asking it to confirm the exposure figures reported by Shadowserver and Censys.
The most serious concern for customers is that no security patch is currently available. Cisco advises affected organizations to wipe compromised devices and restore them to a known secure state. In cases where a breach is confirmed, the company says a full rebuild of the appliance is currently the only way to remove the attackers’ persistence mechanisms.
Cisco’s threat intelligence unit, Talos, reports that the campaign has been active since at least late November 2025, underscoring the urgency for organizations to review their exposure and take defensive action.
We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.
