A newly disclosed hacking campaign exploiting a critical, unpatched vulnerability in some of Cisco’s most widely used security products has forced an unusual recommendation from the company: customers who confirm a compromise may need to wipe and completely rebuild affected systems, because no software fix yet exists
A Zero-Day With No Immediate Fix
Cisco disclosed this week that hackers are actively exploiting a critical vulnerability in certain products running its AsyncOS software, including Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The flaw allows attackers to fully take over affected devices, according to the company’s security advisory.
What has alarmed customers and security researchers alike is the absence of a patch. Cisco has acknowledged that there is currently no software update capable of closing the vulnerability. In cases of confirmed compromise, the company has told customers that rebuilding affected appliances from scratch is, for now, the only viable way to remove the attackers’ persistent access.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism from the appliance,” Cisco said in guidance shared with customers.
Security researchers say the vulnerability qualifies as a zero-day, meaning it was being exploited before a fix or mitigation was available. Cisco said it discovered the hacking campaign on December 10, but researchers believe the activity may have begun weeks earlier.
How the Attack Works — and Who Is Most Exposed
According to Cisco, the attacks target systems where a feature known as “Spam Quarantine” is enabled and where the management interface is reachable from the internet. The company emphasized that the feature is not enabled by default and does not need to be exposed online, a configuration detail that could significantly reduce the number of vulnerable systems.
Still, the affected products are widely deployed by large organizations, making the campaign particularly concerning. Kevin Beaumont, a security researcher who tracks hacking operations, told TechCrunch that the lack of patches and uncertainty about how long attackers may have had access compound the risk.
“If an organization is affected, it’s not just about exploitation today,” Beaumont said. “It’s about not knowing how long persistent backdoors may have been in place.”
Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, noted that the attack surface is narrower than in some recent mass exploits. Requiring an internet-facing management interface and specific features to be enabled “will limit the attack surface for this vulnerability,” he said, though it does not eliminate the risk entirely.
Links to China-Backed Hacking Groups
Cisco Talos, the company’s threat intelligence unit, has linked the campaign to hackers associated with China and to groups previously tied to Chinese government-backed cyber operations. In a blog post detailing the findings, Talos researchers said attackers are exploiting the vulnerability to install persistent backdoors, allowing long-term access to compromised systems.
The campaign, Talos said, has been active “since at least late November 2025,” suggesting that some organizations may have been compromised for weeks before the activity was publicly disclosed.
While Cisco has not attributed the attacks to a specific state entity, the alleged links to known Chinese hacking groups place the incident within a broader pattern of cyber espionage campaigns targeting enterprise infrastructure and security appliances.
Unanswered Questions and an Ongoing Investigation
Cisco has not said how many customers are affected, and the company declined to answer detailed questions about the scope of the breaches. Meredith Corley, a Cisco spokesperson, told TechCrunch that the company is “actively investigating the issue and developing a permanent remediation.”
For now, organizations running the affected products are left balancing difficult choices: taking systems offline to rebuild them, restricting internet exposure to management interfaces, and assessing whether attackers may still have hidden access.
