Cisco says a group of Chinese government-backed hackers is actively exploiting a newly disclosed zero-day vulnerability, raising concerns that hundreds of enterprise customers running certain security products could be exposed to compromise.
The disclosure, published in a Cisco security advisory this week, centers on CVE-2025-20393, a flaw affecting software used in multiple Cisco security appliances. While Cisco has not publicly quantified how many customers may already be impacted, independent internet-scanning groups and threat-monitoring firms say the number of potentially vulnerable systems appears to be in the hundreds—suggesting a targeted campaign rather than a broad, indiscriminate sweep.
What Cisco says is happening
In its advisory, Cisco attributed exploitation to a Chinese state-backed hacking group and said attackers are targeting enterprise customers using some of the company’s widely deployed security products. The affected product family includes Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, according to the advisory and subsequent reporting.
Cisco emphasized that exposure depends on specific configuration choices. The company said systems are vulnerable only if they are reachable from the public internet and if the “spam quarantine” feature is enabled. Cisco also noted those conditions are not enabled by default, which may explain why researchers are not seeing tens of thousands of exposed devices online.
Even so, the advisory has heightened urgency because the flaw is described as a zero-day—meaning it was exploited before customers had a chance to apply a vendor fix.
Researchers: Exposure appears to be in the hundreds
Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.” Shadowserver scans and monitors internet-facing systems for signs of exposure to known vulnerabilities and active exploitation campaigns.
Kijewski also said Shadowserver was not observing widespread activity, suggesting the intrusions are likely selective. That assessment aligns with how many state-backed operations behave: rather than opportunistically compromising every reachable device, they often focus on organizations that offer strategic intelligence value—such as government-adjacent entities, critical infrastructure, defense supply chains, telecoms, or large enterprises with sensitive communications.
Shadowserver has been tracking exposed systems linked to the vulnerability, and early snapshots show affected devices distributed across multiple countries. As of the reporting cited, India, Thailand, and the United States collectively accounted for dozens of affected systems.
Separately, Censys, a cybersecurity firm that monitors internet exposure and suspicious activity, reported observing 220 internet-exposed Cisco email gateways that match the profile of potentially vulnerable systems.
Why this vulnerability is particularly risky
Security teams often treat vulnerabilities in email security infrastructure as high priority because these systems sit at a choke point for inbound and outbound communications. Email gateways can see sensitive messages, attachments, and authentication flows, and they frequently integrate with directory services and other internal tooling.
That makes exploitation potentially consequential. If an attacker gains privileged access to an email security appliance, they may be able to:
- Harvest or reroute sensitive messages and attachments
- Establish persistent access that survives routine password changes
- Use the appliance as a foothold to pivot deeper into internal networks
- Manipulate filtering rules to allow further phishing and malware delivery
Because Cisco described the campaign as tied to a Chinese government-backed group, the incident is likely to be viewed through the lens of geopolitical cyber-espionage, where the primary goal is intelligence collection rather than disruption. Still, the technical impact of a compromise can be severe regardless of motive.
No patch yet: What Cisco is recommending
The most immediate operational challenge is that Cisco has indicated there are no patches available at the time of the advisory. Instead, Cisco recommends that customers wipe and “restore an affected appliance to a secure state” as a remediation path if compromise is confirmed.
That guidance is significant. Rebuilding appliances can be disruptive for organizations that rely on these gateways for continuous email flow, quarantine management, and policy enforcement. It also implies that, in Cisco’s view, the safest response to a confirmed breach is to assume the device’s integrity cannot be trusted until it is reimaged and returned to a known-good configuration.
For organizations that suspect exposure but have not confirmed compromise, the advisory’s configuration conditions—public internet reachability and the spam quarantine feature—provide an immediate checklist. Security teams can prioritize reducing external exposure, auditing configuration, and reviewing logs for unusual administrative activity, unexpected processes, or anomalous outbound connections.
Internet exposure is the multiplier
Cisco’s note that the affected systems are only vulnerable if they are internet-reachable is a reminder that many appliance compromises begin with a simple reality: if a management interface or service is exposed to the public internet, attackers will find it. Even when exploitation is “targeted,” visibility is the first step.
What to watch next
Two near-term signals will shape how this story evolves. First, whether Cisco releases a patch or mitigation update that reduces the need for full appliance rebuilds. Second, whether researchers observe a surge in exploitation attempts as more details about CVE-2025-20393 circulate across the security ecosystem.
For now, the available data suggests a limited number of exposed systems and a campaign that is selective. But with a zero-day affecting widely used enterprise email security products, defenders have little margin for delay—especially when the vendor’s current remediation guidance centers on restoring appliances to a secure baseline rather than applying a straightforward update.
Dailyza will continue tracking Cisco’s updates, researcher telemetry, and any disclosures from impacted organizations as more technical details and mitigation options emerge.