Cisco Zero-Day: Chinese Hackers Target Hundreds of Customers

Cisco has issued a critical warning regarding a zero-day vulnerability (CVE-2025-20393) in several of its enterprise products, which is actively being exploited by Chinese government-backed hackers. Security researchers now estimate that hundreds of Cisco customers are potentially vulnerable to this ongoing cyberattack, with no immediate patches available to mitigate the threat.

Chinese Hackers Exploit Cisco Zero-Day

The networking giant first disclosed the vulnerability on Wednesday, revealing that a group of state-sponsored Chinese hackers is targeting enterprise customers using some of its most popular products, including the Secure Email Gateway and Secure Email and Web Manager. While Cisco has not specified the number of customers already compromised, independent security researchers are providing a clearer picture of the potential scale.

Scope of the Vulnerability

Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, which actively monitors the internet for hacking campaigns, told TechCrunch that the exposure "seems more in the hundreds rather than thousands or tens of thousands." Kijewski noted that the foundation has not observed widespread activity, suggesting the current attacks are highly targeted.

Shadowserver maintains a public page tracking systems vulnerable to CVE-2025-20393. As of press time, dozens of affected systems have been identified in countries like India, Thailand, and the United States.

Further corroborating these findings, cybersecurity firm Censys, which also monitors internet hacking activities, reported observing 220 internet-exposed Cisco email gateways, one of the vulnerable products. This data was shared in a recent blog post by the firm.

Vulnerability Details and Remediation

Cisco's security advisory published earlier this week clarified that the vulnerability affects its Secure Email Gateway and Secure Email and Web Manager products. Crucially, systems are only susceptible if they are internet-reachable and have the "spam quarantine" feature enabled. Neither of these conditions is enabled by default, which likely contributes to the relatively limited number of vulnerable systems observed online.

A significant concern for affected organizations is the absence of a readily available patch. Cisco recommends that customers "wipe and restore an affected appliance to a secure state" as the primary method to remediate any breach. The company emphasized this in its advisory:

“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.”

According to Cisco's threat intelligence arm, Talos, this targeted hacking campaign has been active since at least late November 2025.