Cisco has disclosed a critical zero-day vulnerability in several of its products is being exploited by hackers, allowing for full takeover of affected devices, with no patches currently available to mitigate the threat.
The company discovered the hacking campaign on December 10 and issued a security advisory warning of the attacks, which target Cisco AsyncOS software used in various appliances, including Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The vulnerability is exploitable in devices with the “Spam Quarantine” feature enabled and accessible from the internet, although Cisco notes that this feature is not enabled by default and does not require internet exposure.
According to Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.” However, Kevin Beaumont, a security researcher, described the situation as particularly problematic due to the widespread use of the affected products among large organizations, the lack of available patches, and the uncertainty surrounding the duration of the hackers’ backdoors in compromised systems. Notably, Cisco has not disclosed the number of affected customers.
Cisco spokesperson Meredith Corley stated that the company “is actively investigating the issue and developing a permanent remediation.” In the meantime, the company’s advisory recommends wiping and rebuilding affected appliances as the only current option to remove the threat actors’ persistence mechanisms. The advisory explicitly states: “In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.”
Cisco Talos, the company’s threat intelligence team, has linked the hackers to China and known Chinese government hacking groups. According to a blog post by Talos, the actors are using the zero-day vulnerability to install persistent backdoors, with the campaign having been active since at least late November 2025.
