Hundreds of Cisco Customers Vulnerable to New Chinese Hacking Campaign, Researchers Say

On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.

Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Security researchers say hundreds of Cisco customers could be hacked.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.”

Kijewski said the foundation was not seeing widespread activity, presumably because “current attacks are targeted.”

Shadowserver maintains a page tracking the number of systems exposed and vulnerable to the Cisco-disclosed flaw, officially designated CVE-2025-20393. The vulnerability is known as a zero-day because the flaw was discovered before the company had time to release patches. As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders.

Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers. According to a blog post, Censys has observed 220 internet-exposed Cisco email gateways, a product known to be vulnerable.

In its security advisory published earlier this week, Cisco said the vulnerability affects software across several products, including its Secure Email Gateway and Secure Email and Web Manager.

Cisco said these systems are only vulnerable if they are reachable from the internet and have their “spam quarantine” feature enabled. Neither of those two conditions is enabled by default, per Cisco, which would explain why there appear to be a few issues with the internet.

Cisco did not respond to a request for comment on whether the company could corroborate the numbers reported by Shadowserver and Censys.

The bigger problem with this hacking campaign is that no patches are available. Cisco recommends that customers wipe and “restore an affected appliance to a secure state” to remediate any breach.

“ In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote in its advisory.

According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since “at least late November 2025.”