Cisco has warned that hackers are actively exploiting a critical vulnerability in some of its most widely used products, allowing attackers to gain full control of affected devices. At present, no security patch is available.
In a security advisory issued on Wednesday, Cisco stated that it discovered an ongoing hacking campaign on December 10 targeting Cisco AsyncOS software, specifically the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. According to the company, the attacks affect devices that have the “Spam Quarantine” feature enabled and are exposed to the internet.
Cisco noted that Spam Quarantine is not enabled by default and does not need to be internet-facing, which may limit the number of exposed systems. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.”
However, security researcher Kevin Beaumont warned that the campaign is especially concerning because many large organizations rely on the affected products, there is no patch available, and it remains unclear how long attackers may have maintained access to compromised systems.
Cisco has not disclosed how many customers may be impacted. When contacted by TechCrunch, Cisco spokesperson Meredith Corley declined to answer detailed questions, stating only that the company “is actively investigating the issue and developing a permanent remediation.”
For now, Cisco says the only recommended mitigation is to wipe and rebuild affected appliances. “In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism,” the company said.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Cisco Talos, the company’s threat intelligence unit, linked the attacks to China-aligned hacking groups. Researchers said the attackers are exploiting the zero-day vulnerability to install persistent backdoors, with the campaign believed to have been active since at least late November 2025.
