On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its business customers who use some of the company’s most popular products.
Cisco has not said how many of its customers have already been hacked or may be using vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be hacked.
Piotr Kijewski, the CEO of the nonprofit Shadowserver Foundation that scans and monitors the Internet for hacking campaigns, told TechCrunch that the scale of the exposure “seems more in the hundreds than thousands or tens of thousands.”
Kijewski said the institution is not seeing widespread activity, possibly because “current attacks are being targeted.”
Shadowserver has a page where it tracks the number of systems exposed and vulnerable to the flaw disclosed by Cisco, officially named as CVE-2025-20393. The vulnerability is known as a zero-day because the flaw was discovered before the company could release patches. So far, India, Thailand and the United States collectively have dozens of affected systems within their borders.
Censys, a cybersecurity firm that monitors hacking activity online, also sees a limited number of Cisco customers affected. According to a blog postCensys observed 220 web-exposed Cisco email gateways, one of the products known to be vulnerable.
Contact us
Do you have more information about this hacking campaign? Like for example which companies were targeted? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
In his safety advice Published earlier this week, Cisco said the vulnerability is present in software found in several products, including Secure Email Gateway and Secure Email and Web Manager.
Cisco said these systems are only vulnerable if they are accessible from the Internet and have the “spam quarantine” feature enabled. Neither of these two conditions are enabled by default, per Cisco, which would explain why there seem to be relatively few vulnerable systems on the Internet.
Cisco did not respond to a request for comment, asking if the company could confirm the numbers seen by Shadowserver and Censys.
The biggest problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and “restore an affected device to a secure state” as a way to remediate a breach.
“In the event of a confirmed compromise, refactoring the devices is currently the only viable option to remove the threat persistence mechanism from the device,” the company wrote in its advisory.
According to Cisco’s threat intelligence arm, Talos, the hacking campaign has been ongoing since “at least late November 2025.”
