Cisco announced Wednesday that hackers have exploited critical vulnerabilities in some of its most popular products, allowing them to take complete control of affected devices. What’s worse, there are no patches available at this time.
Cisco said in a security advisory that it discovered a hacking campaign on December 10 that targeted Cisco AsyncOS software, specifically the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory says affected devices have a feature called “Spam Quarantine” enabled and can be accessed from the Internet.
Cisco pointed out that this feature is not enabled by default and does not need to be exposed to the internet, which may be good news. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch, “The attack surface of this vulnerability will be limited because it requires an internet-facing administrative interface and certain functionality to be enabled.”
But Kevin Beaumont, a security researcher who tracks hacking activity, told TechCrunch that this appears to be a particularly problematic hacking operation because many large companies use affected products, there are no patches available, and it’s unclear how long hackers had backdoors in affected systems.
At this time, Cisco has not disclosed the number of customers affected.
In an interview with TechCrunch, Cisco spokesperson Meredith Corey declined to answer a series of questions, saying the company is “actively investigating this issue and developing a permanent remediation.”
inquiry
Do you have more information about this hacking campaign, including what companies were targeted? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
The solution Cisco is currently offering customers is to basically erase and rebuild the software on the affected products, since no patch exists.
“If a breach is confirmed, rebuilding the appliance is currently the only viable option to eradicate the threat actor’s persistence mechanism from the appliance,” the company wrote.
According to Cisco Talos, the company’s threat intelligence research team, which published a blog post about the hacking campaign, the hackers behind the campaign have ties to China and other known Chinese government hacking groups.
The researchers wrote that hackers have been using the vulnerability (currently a zero-day) to install a persistent backdoor, and that the campaign has been ongoing “since at least late November 2025.”
