Cisco is warning customers that China-linked hackers are actively exploiting a critical zero-day vulnerability affecting some of the company’s most widely deployed email security products, potentially allowing attackers to fully take over exposed devices. The company says there is currently no patch available, and it is urging impacted organizations to take immediate mitigation steps while a permanent fix is developed.
In a security advisory published Wednesday, Cisco said it discovered the hacking activity on December 10 and traced it to systems running Cisco AsyncOS, the software platform powering several of its email and web security appliances. The affected products include Cisco Secure Email Gateway, Cisco Secure Email, and Cisco Secure Email and Web Manager, which are deployed across enterprises and government-adjacent environments to filter and manage email traffic.
What Cisco says is being targeted
According to the advisory, exploitation hinges on a specific configuration: affected devices have a feature called Spam Quarantine enabled and are reachable from the internet. Cisco emphasized that Spam Quarantine is not enabled by default and does not need to be exposed to the public internet, a detail that may reduce the number of vulnerable deployments—but not the potential impact for those that are exposed.
Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that the requirement for an internet-facing management interface and certain features being enabled “will limit the attack surface for this vulnerability.” Even so, security teams are being urged not to interpret that as reassurance, because internet exposure is common in real-world deployments and can occur through misconfiguration, legacy access rules, or emergency remote-access changes.
Why this is a high-risk incident
Security researchers tracking the campaign say the combination of active exploitation, widespread product use, and the absence of a patch makes this incident especially urgent. Kevin Beaumont, a researcher who monitors hacking activity, told TechCrunch the situation appears particularly problematic because many large organizations rely on the affected products, there is no patch available, and it remains unclear how long attackers may have maintained access in compromised environments.
Cisco has not disclosed how many customers may be impacted. When TechCrunch contacted the company with questions, spokesperson Meredith Corley did not address specific details and instead said the company “is actively investigating the issue and developing a permanent remediation.”
What customers can do now
With no patch available, Cisco is recommending a response that goes beyond typical mitigation guidance. The company’s current direction is effectively to wipe and rebuild affected appliances’ software if compromise is confirmed.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” Cisco wrote in its advisory.
For security teams, that guidance carries real operational consequences. Email security gateways are often deeply integrated into mail flow, policy enforcement, and incident response workflows. Rebuilding appliances can mean planned downtime, careful reconfiguration, certificate and key management, and validation to ensure mail routing and security controls return to a known-good state.
Immediate mitigation priorities
- Reduce exposure: Ensure management interfaces are not internet-accessible unless strictly necessary, and restrict access by IP allowlists and VPNs where possible.
- Review feature configuration: Verify whether Spam Quarantine is enabled and whether it is exposed in a way that matches the conditions described by Cisco.
- Hunt for persistence: Treat affected devices as potentially hostile if signs of compromise exist, and prioritize forensics and log review.
- Prepare for rebuild: If compromise is suspected or confirmed, plan for a controlled rebuild and validation of configuration baselines.
Attribution: Cisco links activity to China
Cisco Talos, the company’s threat intelligence and research unit, said the hackers behind the campaign are linked to China and associated with other known Chinese government hacking groups. Talos reported that attackers are using the vulnerability to install persistent backdoors, enabling continued access even after typical remediation steps.
Talos said the campaign has been ongoing “since at least late November 2025,” suggesting the window for compromise could extend weeks before the public disclosure. That timeline is significant for defenders: the longer an attacker remains embedded, the higher the likelihood of credential theft, lateral movement, and the use of compromised infrastructure to pivot into broader enterprise networks.
Why email security appliances are a prime target
Email gateways occupy a strategic position in most organizations. They sit on the boundary between external senders and internal mail systems, often handling sensitive metadata, attachments, and policy decisions. A full takeover of such a device can give attackers a foothold to monitor traffic, disrupt communications, or attempt follow-on compromise through credential harvesting or targeted delivery of malicious content.
For large enterprises, healthcare providers, and public-sector organizations, the risk is amplified by the role these appliances play in enforcing compliance and preventing data loss. A compromised gateway can undermine trust in email-based workflows and complicate incident response, because defenders may need to assume that alerts and filtering decisions were tampered with.
What to watch next
The key near-term question is when Cisco will release a patch or other permanent remediation, and whether additional technical details will emerge that help defenders detect compromise. Organizations running the affected products are likely to accelerate exposure audits and implement tighter segmentation while they await updates.
Until a fix is available, defenders are being pushed toward a posture that assumes active exploitation is possible wherever the vulnerable configuration exists—and that recovery may require rebuilding appliances rather than relying on incremental changes.