On Wednesday, Cisco revealed that attackers are actively exploiting a critical vulnerability present in some of its widely used products, enabling complete control over the compromised devices. Alarmingly, no patches are currently available to address this security flaw.
In a security notice, Cisco stated that they uncovered a hacking campaign beginning on December 10 that targets Cisco AsyncOS software, specifically affecting physical and virtual devices including Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory highlighted that the vulnerable devices have a feature called “Spam Quarantine” activated and are accessible via the internet.
Cisco clarified that this feature is not enabled by default and does not need to be exposed to the internet, which may limit the vulnerability’s scope. Michael Taggart, a senior cybersecurity researcher, noted that the requirement for an internet-facing management interface combined with specific enabled features narrows the potential attack surface for this exploit.
However, security researcher Kevin Beaumont described this as a highly concerning campaign due to the widespread use of the affected products by major organizations. Beaumont emphasized the lack of available patches and uncertainty regarding the duration of unauthorized backdoor access within compromised systems.
At this time, Cisco has not disclosed the number of customers impacted. When approached for comment, a Cisco representative declined to respond to detailed inquiries, stating only that the company is actively investigating and working on a permanent solution.
Meanwhile, Cisco advises affected customers to completely wipe and rebuild the software of compromised devices, as no direct patch exists to remove the threat actors’ presence.
The company highlighted that in confirmed breaches, rebuilding appliances remains the sole effective approach to eliminate persistent malware installed by the attackers.
Investigations by Cisco Talos, the firm’s threat intelligence group, linked the hacking campaign to Chinese government-associated groups. Their analysis revealed that the attackers exploited the zero-day vulnerability to plant enduring backdoors on systems, with activity traced back to at least late November 2025.