Cisco confirmed that Chinese state-linked hackers are actively exploiting a critical zero-day vulnerability in its Secure Email Gateway and Secure Email and Web Manager appliances. Discovered on December 10, the exploit allows unauthorized actors to achieve full device takeover, with no official software patch currently available to mitigate the risk.
Scope of the Vulnerability
The campaign specifically targets the Cisco AsyncOS software. According to Cisco’s official security advisory, the threat is localized to devices where the “Spam Quarantine” feature is enabled and the management interface is exposed to the public internet.
While the feature is not active by default, cybersecurity experts view the situation as highly volatile. Michael Taggart, a researcher at UCLA Health Sciences, noted that while the specific configuration requirements limit the attack surface, the nature of the exploit remains severe for organizations heavily reliant on these appliances.
Persistent Backdoors and Attribution
Cisco Talos, the company’s threat intelligence arm, has linked the campaign to Chinese government-backed hacking groups. The investigation reveals that the attackers have been leveraging this zero-day to install persistent backdoors since at least late November 2025.
Security researcher Kevin Beaumont emphasized that the lack of a patch is particularly concerning given the widespread use of these products among large enterprises. The duration of the hackers’ access remains unknown, raising significant concerns regarding data exfiltration and long-term network infiltration.
Remediation Requirements
Cisco has yet to disclose the total number of affected customers. When questioned regarding the extent of the breach and potential victim organizations, a company spokesperson stated that Cisco is “actively investigating the issue and developing a permanent remediation.”
Until a patch is released, the company’s only recommended course of action for compromised systems is a complete system wipe and rebuild. Cisco explicitly stated that, in the event of a confirmed compromise, rebuilding the appliances is the only viable method to eradicate the threat actors’ persistence mechanisms.