Cisco disclosed on Wednesday that a group of hackers backed by the Chinese government is actively exploiting a newly discovered vulnerability to attack enterprise customers using some of its most widely deployed products. The company has not confirmed how many customers the attackers have already compromised or how many still run exposed systems, but security researchers say the number of potential targets runs into the hundreds.
Piotr Kijewski, chief executive of the nonprofit Shadowserver Foundation, which scans the internet for large-scale hacking activity, said the level of exposure appears limited but concerning. He told TechCrunch that the number of affected systems looks closer to the hundreds rather than the thousands or tens of thousands. Kijewski added that his team has not observed widespread exploitation so far, likely because the attackers are focusing on specific, high-value targets.
Shadowserver is actively tracking systems vulnerable to the flaw, which Cisco officially identified as CVE-2025-20393. Security experts classify the issue as a zero-day vulnerability because attackers discovered and began exploiting it before Cisco could release a fix. At the time of reporting, dozens of vulnerable systems appeared in countries including India, Thailand, and the United States.
Censys, a cybersecurity firm that monitors exposed systems across the internet, reported similar findings. In a recent blog post, the company said it had identified 220 internet-facing Cisco email gateways that remain exposed to the vulnerability. These gateways rank among the Cisco products attackers can exploit through this flaw.
Cisco explained in a security advisory that the vulnerability affects software used in several products, including Secure Email Gateway and Secure Email and Web Manager. The company said attackers can only exploit the flaw if the affected systems are accessible from the internet and have the spam quarantine feature enabled. Cisco noted that neither setting is active by default, which helps explain why researchers have found a relatively small number of exposed systems.
Cisco declined to comment on whether it could confirm the figures reported by Shadowserver and Censys. Meanwhile, the lack of an available patch has heightened concern among security teams. Cisco advised affected customers to wipe compromised systems and restore them to a secure state as the only effective way to contain the threat.
In its advisory, the company warned that rebuilding affected appliances currently offers the only reliable way to remove the attackers’ persistence mechanisms. Cisco’s threat intelligence unit, Talos, said the hacking campaign has likely been active since at least late November 2025, raising fears that attackers may have already maintained access to some systems for weeks.
