On Wednesday, Cisco announced that hackers are exploiting a critical vulnerability in some of its most popular products that allows a complete takeover of affected devices. Even worse, there are no patches available right now.
In a safety tipCisco said it discovered a hacking campaign on Dec. 10 that targeted Cisco AsyncOS software, specifically the physical and virtual Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances. The advisory said the affected devices have a feature called “Spam Quarantine” enabled and are accessible from the Internet.
Cisco noted that this feature is not enabled by default and does not need to be exposed to the internet, which may be good news. Michael Taggartsenior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “requiring an internet-facing management interface and enabling certain features will limit the attack surface for this vulnerability.”
However, Kevin Beaumonta security researcher who tracks hacking campaigns told TechCrunch that this appears to be a particularly problematic hacking campaign, as many large organizations use the affected products, no patches are available, and it’s unclear how long the hackers have had backdoors on the affected systems.
At this point Cisco is not saying how many customers are affected.
When reached by TechCrunch, Cisco spokeswoman Meredith Corley did not respond to a series of questions, instead saying the company is “actively investigating the issue and developing a permanent fix.”
Contact us
Do you have more information about this hacking campaign? Like for example which companies were targeted? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
The solution that Cisco is recommending to customers at this time is essentially to delete and rebuild the software of the affected products, as there is no fix available.
“In the event of a confirmed compromise, refactoring the devices is currently the only viable option to remove the threat persistence mechanism from the device,” the company wrote.
The hackers behind the campaign are linked to China and other known Chinese government hacking groups, according to Cisco Talos, the company’s threat intelligence research group, which published a blog post about the hacking campaign.
The researchers wrote that hackers are exploiting the vulnerability, which at this point is a zero-day, to install persistent backdoors, and that the campaign has been ongoing “since at least late November 2025.”
