What Cisco products are affected by the zero-day vulnerability?

Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances running Cisco AsyncOS software are affected.

Who is behind the Cisco hacking campaign?

The hacking campaign is linked to China and known Chinese government hacking groups, according to Cisco Talos.

What should Cisco customers do about the zero-day exploit?

Currently, Cisco recommends wiping and rebuilding the affected products' software if a compromise is confirmed.

Home / Technology / Cisco Hackers Exploit Critical Zero-Day Flaw

Cisco Hackers Exploit Critical Zero-Day Flaw

18 Dec, 2025

•

Summary

Hackers linked to China exploit a critical Cisco zero-day flaw.
No patches are currently available for the exploited vulnerability.
Affected Cisco devices require Spam Quarantine and internet access.

Cisco Hackers Exploit Critical Zero-Day Flaw

A critical vulnerability in some of Cisco's most popular products is actively being exploited by hackers, with no immediate patches available. This zero-day flaw allows for the complete takeover of affected devices, including Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager.

The security advisory indicates that the hacking campaign was discovered on December 10, 2025, targeting Cisco AsyncOS software. A key enabling factor for this exploit is the 'Spam Quarantine' feature being active and the device being accessible via the internet, though these are not default configurations.

Cybersecurity researchers note the severity due to the widespread use of these products and the absence of immediate fixes. Cisco's current recommendation for confirmed compromises is to rebuild the affected appliances, as this is the only known method to remove the attackers' persistent backdoors. Cisco Talos links the campaign to Chinese government hacking groups and states it has been ongoing since at least late November 2025.