Hajra Naz
Cisco has warned that hackers are actively exploiting a critical zero-day vulnerability in several widely used security products, allowing attackers to fully take over affected systems. Even more concerning: there is no patch available yet, leaving organizations exposed while investigations continue.
According to a security advisory issued Wednesday, Cisco detected the campaign on December 10. The attacks target Cisco AsyncOS software, specifically appliances running Cisco Secure Email Gateway, Cisco Secure Email, and Cisco Secure Web Manager. The vulnerability affects systems where the Spam Quarantine feature is enabled and the management interface is reachable from the internet.
Cisco emphasized that Spam Quarantine is not enabled by default and does not need to be internet-facing, which may reduce exposure for some customers. Still, Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, said that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface,” but does not eliminate the risk.
Security researchers say the situation remains serious. Kevin Beaumont, who tracks large-scale intrusion campaigns, described the activity as especially troubling because the affected products are used by many large organizations, there is currently no fix, and it’s unclear how long attackers may have maintained hidden access. Persistent access increases the likelihood of data theft, email interception, and long-term espionage.
Read More: 4 Early Warning Signs of a Potential Data Breach
Cisco has not disclosed the number of customers affected. When contacted, Cisco spokesperson Meredith Corley declined to answer detailed questions, stating only that the company is “actively investigating the issue and developing a permanent remediation.”
For now, Cisco’s guidance is drastic but clear. In cases of confirmed compromise, customers are advised to wipe and rebuild the affected appliances entirely. “Rebuilding the appliances is, currently, the only viable option to eradicate the threat actors’ persistence mechanism,” the company said, underscoring the severity of the breach.
Cisco Talos linked the campaign to China-connected hacking groups. Some are tied to Chinese government cyber operations. Attackers are abusing a zero-day flaw. They are installing persistent backdoors. The goal is long-term access. The activity appears to date back to at least late November 2025.
Read More: Over 250 Million Personal Records Exposed in Massive Global Data Breach
Until a patch is released, caution is critical. Security teams should restrict internet access to management interfaces. Unnecessary features, such as Spam Quarantine, should be disabled.
Logs should be monitored closely for unusual behavior. Incident response plans should be ready. The episode illustrates how even security tools can become prime targets when zero-day vulnerabilities go unfixed.
