Cisco Customers Vulnerable to New Chinese Hacking Campaign
▼ Summary
– Cisco disclosed that Chinese state-backed hackers are exploiting a vulnerability (CVE-2025-20393) in popular products like its Secure Email Gateway.
– Security researchers estimate the scale is limited, with potentially hundreds, not thousands, of customer systems exposed globally.
– The vulnerability is a zero-day affecting internet-exposed systems with a specific “spam quarantine” feature enabled, which is not a default setting.
– No security patch is available; Cisco’s only current remediation advice for a confirmed breach is to completely wipe and rebuild the affected appliance.
– Cisco’s Talos unit reports this targeted hacking campaign has been active since at least late November 2025.
A newly identified hacking campaign linked to Chinese state-sponsored actors is actively exploiting a critical vulnerability in several popular Cisco products, putting enterprise customers at risk. Cisco disclosed that hackers are targeting systems using its Secure Email Gateway and Secure Email and Web Manager software. While the exact number of compromised organizations remains unclear, initial scans suggest the exposure is currently limited to hundreds of systems rather than widespread thousands.
Security researchers monitoring the situation indicate the attacks appear highly targeted. The nonprofit Shadowserver Foundation, which scans the internet for malicious activity, estimates the scale is “more in the hundreds rather than thousands or tens of thousands.” Their tracking page for the flaw, officially designated CVE-2025-20393, shows affected systems primarily located in India, Thailand, and the United States. This vulnerability is classified as a zero-day, meaning it was discovered and weaponized by attackers before a security patch could be developed and distributed.
Independent analysis from cybersecurity firm Censys aligns with this assessment. They have observed approximately 220 internet-exposed Cisco email gateways that are vulnerable to exploitation. The attack surface is limited by two specific conditions: the system must be accessible from the public internet and have the “spam quarantine” feature enabled. Cisco notes that neither setting is active by default, which significantly reduces the number of potentially susceptible appliances.
The most pressing issue for customers is the current absence of a software patch. In its security advisory, Cisco states that the only confirmed method to remediate a compromised system is to completely wipe and rebuild the affected appliance from a known secure backup. “In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company advised. According to Cisco’s threat intelligence team Talos, this campaign has been ongoing since at least late November 2025.
Cisco has not publicly confirmed the data from external researchers like Shadowserver and Censys, nor has it provided specific details on which companies have been targeted. The company continues to recommend that customers review their configurations to ensure vulnerable systems are not exposed to the internet unnecessarily while awaiting further guidance and eventual security updates.
(Source: TechCrunch)