On Wednesday, Cisco announced that hackers are exploiting a critical vulnerability in some of its most popular products, allowing for the complete takeover of affected devices. Compounding the issue, no patches are currently available to fix the flaw.
In a security advisory, Cisco stated it discovered a hacking campaign on December 10 targeting its AsyncOS software. The campaign specifically focuses on physical and virtual appliances running Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. According to the advisory, only affected devices that have a feature called “Spam Quarantine” enabled and are reachable from the internet are vulnerable. Cisco noted this feature is not enabled by default and does not need to be exposed to the internet, which may limit the scope of the attack.
Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that the requirement of an internet-facing management interface and certain enabled features will limit the attack surface for this vulnerability.
However, security researcher Kevin Beaumont told TechCrunch this appears to be a particularly problematic campaign. He cited the widespread use of the affected products by large organizations, the lack of available patches, and the uncertainty around how long hackers have had backdoors in the compromised systems. Cisco is not currently disclosing how many customers are affected.
When contacted by TechCrunch, Cisco spokesperson Meredith Corley did not answer specific questions, stating instead that the company is actively investigating the issue and developing a permanent remediation.
For now, Cisco’s suggested solution for customers is to wipe and rebuild the software on affected products, as no patch exists. The company wrote that in the case of a confirmed compromise, rebuilding the appliances is currently the only viable option to remove the threat actors’ persistence mechanisms.
Cisco Talos, the company’s threat intelligence team, links the hackers behind this campaign to China and other known Chinese government hacking groups. The researchers wrote that the hackers are exploiting the vulnerability, currently a zero-day, to install persistent backdoors. They assess that the campaign has been ongoing since at least late November 2025.