Hundreds of Cisco Customers at Risk from Chinese Hacking Campaign
In a recent disclosure, Cisco has identified a critical security vulnerability, designated as CVE-2025-20393, affecting several of its widely used products, including the Secure Email Gateway and Secure Email and Web Manager. This flaw is currently being exploited by a group of hackers linked to the Chinese government, posing a significant threat to enterprise customers globally.
The Shadowserver Foundation, a nonprofit organization dedicated to monitoring internet security threats, has reported that the number of potentially vulnerable Cisco customers is in the hundreds. Piotr Kijewski, the foundation’s chief executive, noted that the exposure appears to be more in the hundreds rather than thousands or tens of thousands. He emphasized that the current attacks are targeted, which may explain the limited scope observed.
Censys, a cybersecurity firm specializing in internet-wide scanning, has identified 220 internet-exposed Cisco email gateways susceptible to this vulnerability. Their findings suggest that the issue, while not widespread, is significant enough to warrant immediate attention from affected organizations.
Cisco’s security advisory highlights that the vulnerability is present in systems that are both accessible from the internet and have the spam quarantine feature enabled. Importantly, these conditions are not enabled by default, which may limit the number of affected systems. However, for those systems that meet these criteria, the risk is substantial.
As of now, there are no patches available to address this zero-day vulnerability. Cisco recommends that customers who suspect their systems have been compromised should wipe and restore the affected appliances to a secure state. The company stated, In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors’ persistence mechanism from the appliance.
According to Cisco’s threat intelligence unit, Talos, this hacking campaign has been active since at least late November 2025. The ongoing nature of these attacks underscores the urgency for organizations to assess their systems and implement necessary security measures promptly.
