On Wednesday, Cisco revealed that a group of hackers, allegedly supported by the Chinese government, is exploiting a vulnerability targeting corporate users of some of its widely-used products. The company has not specified the number of affected customers or if they have vulnerable systems. Experts estimate that hundreds of Cisco clients could be impacted.
Piotr Kizhevsky from the Shadowserver Foundation, an organization that monitors the Internet for hacker activities, noted that the vulnerability’s impact seems limited to hundreds of cases, suggesting the attacks are targeted rather than widespread.
The vulnerability, identified as CVE-2025-20393, was discovered before Cisco could release patches. As of now, countries like India, Thailand, and the United States have reported dozens of affected systems. Cybersecurity firm Censys has also detected a limited number of affected Cisco email gateways.
Cisco’s advisory indicates that the vulnerability exists in products like Secure Email Gateway and Secure Email and Web Manager, but these systems are only at risk when exposed to the Internet and when the “spam quarantine” feature is enabled, which is not the default setting.
The company has not confirmed the figures reported by monitoring organizations. With no available patches, Cisco advises customers to erase and restore affected devices to secure them. The cyber threat campaign has reportedly been active since late November 2025.
