On Wednesday, Cisco announced hackers are exploiting a critical vulnerability in some of its most popular products that allows the full takeover of affected devices. Worse, there are no patches available at this time.
In a security advisory, Cisco said it discovered a hacking campaign on December 10 targeting Cisco AsyncOS software, and in particular the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory said affected devices have a feature called “Spam Quarantine” enabled and are reachable from the internet.
Cisco noted that this feature is not enabled by default and does not need to be exposed to the internet, which may be good news. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.”
However, Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign since a lot of big organizations use the affected products, there are no patches available, and it’s unclear how long the hackers had backdoors in the affected systems.
At this point Cisco is not saying how many customers are affected.
When reached by TechCrunch, Cisco spokesperson Meredith Corley did not answer a series of questions, and instead said that the company “is actively investigating the issue and developing a permanent remediation.”
Contact Us
Do you have more information about this hacking campaign? Such as what companies were targeted? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
The solution Cisco is suggesting to customers right now is essentially to wipe and rebuild the affected products’ software, as there is no patch available.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote.
The hackers behind the campaign are linked to China and other known Chinese government hacking groups, according to Cisco Talos, the company’s threat intelligence research team, which published a blog post about the hacking campaign.
The researchers wrote that the hackers are taking advantage of the vulnerability, which at this point is a zero-day, to install persistent backdoors, and that the campaign has been ongoing “since at least late November 2025.”
