On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.
Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Security researchers now say there are hundreds of Cisco customers who could potentially be hacked.
Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, said the scale of exposure seems more in the hundreds rather than thousands or tens of thousands. Kijewski said the foundation was not seeing widespread activity, presumably because current attacks are targeted. The vulnerability disclosed by Cisco is officially named CVE-2025-20393. It is known as a zero-day because the flaw was discovered before the company had time to make patches available. As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders.
Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers. According to Censys, it has observed 220 internet-exposed Cisco email gateways, one of the products known to be vulnerable.
In its security advisory published earlier this week, Cisco said that the vulnerability is present in software found in several products, including its Secure Email Gateway and its Secure Email and Web Manager. Cisco said these systems are only vulnerable if they are reachable from the internet and have its spam quarantine feature enabled. Neither of those two conditions are enabled by default, which would explain why there appear to be, relatively speaking, not that many vulnerable systems on the internet.
Cisco did not respond to a request for comment asking if the company could corroborate the numbers seen by Shadowserver and Censys.
The bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and restore an affected appliance to a secure state as a way to remediate any breach. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance, the company wrote in its advisory.
According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since at least late November 2025.