Cisco Warns of Chinese Zero-Day Exploits on Key Products

Cisco has issued a critical warning about a zero-day vulnerability actively exploited by Chinese state-sponsored hackers, targeting some of its most popular products. The flaw allows for a complete takeover of affected devices running Cisco AsyncOS software, including the Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances. Alarmingly, no official patch is currently available, leaving many organizations vulnerable.

The networking giant disclosed in a security advisory that it first detected the hacking campaign on December 10. The attacks specifically target devices with the "Spam Quarantine" feature enabled and exposed to the internet. While Cisco noted that this feature is not enabled by default and doesn't necessarily need internet exposure, its presence significantly expands the attack surface for organizations.

Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, commented to TechCrunch that "the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability."

However, security researcher Kevin Beaumont, known for tracking hacking campaigns, expressed concern to TechCrunch. He highlighted the severity of the situation given that numerous large organizations rely on the affected Cisco products, coupled with the absence of a patch and the unknown duration of the hackers' access via backdoors.

Cisco has not yet disclosed how many customers have been affected by this ongoing campaign. When contacted by TechCrunch, Cisco spokesperson Meredith Corley stated that the company "is actively investigating the issue and developing a permanent remediation" but did not provide further details.

In the interim, Cisco's recommended solution for compromised systems is drastic: customers are advised to wipe and rebuild the software on affected products. The company emphasized this in its advisory:

"In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance."

According to Cisco Talos, the company's threat intelligence research team, the hackers behind this sophisticated campaign are linked to China and other known Chinese government hacking groups. In a blog post, Talos researchers detailed how the attackers are exploiting this zero-day vulnerability to install persistent backdoors. The campaign has been active since at least late November.