Cisco announced that hackers linked to China are exploiting a zero-day vulnerability in its AsyncOS software across Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances, enabling full device takeover with no patches available yet.
The company detected the hacking campaign on December 10. This campaign targets physical and virtual appliances running Cisco AsyncOS software. The vulnerability specifically impacts devices where the Spam Quarantine feature remains enabled and the appliances remain accessible from the internet. Cisco emphasized in its security advisory that administrators do not enable Spam Quarantine by default. The advisory further clarified that this feature requires no internet exposure for normal operation.
Michael Taggart, senior cybersecurity researcher at UCLA Health Sciences, provided analysis to TechCrunch. He stated, “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.” Taggart’s observation highlights how configuration choices by administrators influence exposure risks in these systems.
Kevin Beaumont, a security researcher who tracks hacking campaigns, also spoke to TechCrunch about the campaign’s implications. He described it as particularly problematic for several reasons. Large organizations deploy the affected products extensively throughout their networks. No patches exist to address the issue at present. The duration of the hackers’ backdoor presence in compromised systems stays unclear. Cisco has disclosed no information on the number of affected customers.
TechCrunch reached out to Cisco spokesperson Meredith Corley with a series of questions. Corley responded that the company “is actively investigating the issue and developing a permanent remediation.” She offered no further details on those inquiries. Cisco’s current guidance directs customers to wipe and rebuild the software on affected appliances. The security advisory explains this approach in detail: “In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.” This process removes the hackers’ established persistence entirely.
Cisco Talos, the company’s threat intelligence research team, detailed the operation in a blog post. The post attributes the hackers to China and connects them to other known Chinese government hacking groups. Talos researchers documented how the actors exploit the zero-day vulnerability to install persistent backdoors. Evidence shows the campaign active since at least late November 2025. The blog post outlines the technical methods used for initial access and subsequent persistence on the compromised appliances.
