Cisco Warns of Chinese Hackers Using New Zero-Day
▼ Summary
– Cisco announced hackers are exploiting a critical, unpatched vulnerability that allows full takeover of certain popular email security appliances.
– The attack targets devices running Cisco AsyncOS with the “Spam Quarantine” feature enabled and exposed to the internet, though this is not the default configuration.
– Security researchers note the attack surface may be limited but warn the campaign is problematic due to the widespread use of affected products and lack of a patch.
– Cisco’s current remediation advice for compromised devices is to completely wipe and rebuild the software, as no permanent fix is yet available.
– Cisco’s threat intelligence team links the hackers to China, stating they have used this zero-day to install backdoors since at least late November 2025.
Cisco has issued a critical warning regarding an active hacking campaign exploiting a newly discovered zero-day vulnerability in several of its widely used security appliances. The flaw allows attackers to completely take over affected devices, and no official software patch is currently available to fix the issue. The company’s investigation indicates the threat actors are linked to Chinese state-sponsored hacking groups, raising significant concerns for organizations relying on these products for their cybersecurity.
The vulnerability targets Cisco’s AsyncOS software, specifically impacting physical and virtual appliances running Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. According to Cisco’s security advisory, the exploitation requires a specific configuration: the “Spam Quarantine” feature must be enabled, and the device’s management interface must be accessible from the public internet. This configuration is not the default setting, which may limit the overall number of vulnerable systems. Security experts note that this requirement reduces the immediate attack surface, as many organizations do not expose these management interfaces online.
Despite this mitigating factor, the situation remains severe. The absence of a patch means organizations with exposed and configured systems have no straightforward way to secure them against this threat. Furthermore, the hacking campaign has been active since at least late November, giving attackers a potentially lengthy window to establish persistent backdoors within compromised networks. Researchers tracking the activity express particular concern because the affected Cisco products are deployed by many large enterprises and government entities, amplifying the potential impact.
Cisco has not disclosed how many of its customers may be affected by the ongoing attacks. When questioned, a company spokesperson stated that Cisco is actively investigating and working on a permanent fix. In the interim, the guidance for customers is stark. If a device is confirmed to be compromised, the only recommended course of action is to completely wipe and rebuild the appliance’s software from a clean source. This process is necessary to remove any backdoors or persistence mechanisms installed by the hackers.
The attribution to Chinese threat actors comes from Cisco’s own Talos intelligence team, which published a detailed analysis of the campaign. The team linked the tools and techniques used in these attacks to other known operations conducted by groups affiliated with the Chinese government. This connection underscores the sophisticated and persistent nature of the threat, suggesting a strategic intelligence-gathering motive rather than random criminal activity. Organizations using the implicated Cisco products are urged to review their configurations immediately, disable internet-facing management interfaces if possible, and monitor for any signs of unauthorized access.
(Source: TechCrunch)