A Chinese state-sponsored hacking group is exploiting a previously unknown vulnerability – a “zero-day” flaw – in several popular Cisco products, putting hundreds of enterprise customers at risk. The campaign, which has been active since at least late November 2025, targets systems with the spam quarantine feature enabled that are accessible from the internet.
The Vulnerability and Affected Products
The vulnerability, officially tracked as CVE-2025-20393, exists within Cisco’s Secure Email Gateway and Secure Email and Web Manager. Unlike many exploits, this one was discovered before Cisco could release a patch, leaving businesses with limited immediate options.
Limited, Targeted Exploitation
While Cisco has not disclosed the exact number of compromised systems, independent researchers estimate the exposure to be “in the hundreds rather than thousands.” The attacks appear highly targeted, rather than widespread, suggesting a focus on specific high-value organizations. As of this week, dozens of affected systems have been identified in India, Thailand, and the United States.
Censys, a cybersecurity firm, has observed 220 internet-exposed Cisco email gateways vulnerable to the flaw.
No Patch Available: Radical Remediation Required
The most critical issue is the lack of a software patch. Cisco advises affected customers to completely wipe and rebuild their appliances as the only guaranteed way to eliminate the threat.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,”
This drastic measure highlights the severity of the breach. The hackers are not simply stealing data; they are establishing persistent access, making complete system restoration necessary to ensure security.
Why This Matters
Zero-day exploits are among the most dangerous cyber threats because they bypass standard defenses. Nation-state hacking campaigns, like this one, are often motivated by espionage, intellectual property theft, or strategic disruption. The fact that the attacks are targeted suggests that Cisco customers in specific industries or geopolitical regions are being prioritized.
The incident underscores the need for proactive threat intelligence, rapid vulnerability response, and robust incident recovery plans. It also highlights the growing risk of supply chain attacks, where vulnerabilities in widely used software become leverage points for sophisticated adversaries.
The absence of a patch means that organizations must rely on extreme measures to secure their systems. This situation will likely remain volatile until Cisco develops and distributes a fix.
