Hundreds of Cisco customers are vulnerable to a new Chinese hacking campaign, researchers say

Cisco revealed on Wednesday that a group of Chinese government-backed hackers is exploiting a security vulnerability to target enterprise customers using some of the company’s most popular products.

Cisco did not say how many of its customers have already been compromised, or may be using vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be compromised.

Piotr Kijewski, CEO of Shadowserver, a nonprofit that scans and monitors the Internet for hacking campaigns, told TechCrunch that the scale of exposure “seems to be in the hundreds, not thousands or tens of thousands.”

The organization has not seen widespread activity, perhaps because “current attacks are targeted,” Kijewski said.

Shadowserver has a page tracking the number of systems exposed and vulnerable to the flaw disclosed by Cisco, officially named CVE-2025-20393. The vulnerability is known as “zero day,” because the flaw was discovered before the company had enough time to provide patches. At the time of publishing this article, India, Thailand, and the United States combined have dozens of affected systems within their borders.

Censys, a cybersecurity company that monitors online hacking activity, sees a limited number of Cisco customers affected. According to a blog post, Censys observed 220 Cisco email gateways exposed on the Internet, one of the products known to be vulnerable.

In its security advisory published earlier this week, Cisco said the vulnerability exists in software found in several products, including Secure Email Gateway, Secure Email, and Web Manager.

Cisco said these systems are only vulnerable if they are accessible over the Internet and the “Spam Quarantine” feature is enabled. Neither of these conditions is enabled by default, according to Cisco, which explains why there are relatively few vulnerable systems on the Internet.

Cisco did not respond to a request for comment, asking if the company could confirm the numbers seen by Shadowserver and Censys.

The biggest problem with this hacking campaign is the lack of any patches available. Cisco recommends that customers wipe and “restore the affected device to a secure state” as a way to fix any breach.

“In the event of a confirmed compromise, hardware rebuilding is, currently, the only viable option to eliminate the threat actor persistence mechanism from the device,” the company wrote in its warning.

According to Talos, Cisco’s threat intelligence arm, the hacking campaign has been ongoing since “at least late November 2025.”