Cisco said Wednesday that a group of hackers backed by the Chinese government is exploiting vulnerabilities to target enterprise customers using its most popular products.
Cisco has not said how many customers have already been hacked or may be running vulnerable systems. Security researchers now say there are hundreds of Cisco customers who could be hacked.
Piotr Kijevsky, CEO of the Shadow Server Foundation, a nonprofit organization that scans and monitors the internet for hacking activity, told TechCrunch that the scale of the exposure “looks like it's in the hundreds, not thousands or tens of thousands.”
Kijewski said the foundation does not see widespread activity, likely because “the current attacks are targeted.”
Shadowserver has a page that tracks the number of vulnerable systems exposed to the flaw published by Cisco (officially named CVE-2025-20393). The vulnerability is known as a zero-day because the flaw was discovered before the company released a patch. At the time of writing, there are dozens of systems affected within the borders of India, Thailand, and the United States combined.
Censys, a cybersecurity firm that monitors hacking activity on the Internet, also believes the number of Cisco customers affected is limited. According to a blog post, Censys observed 220 Cisco email gateways exposed to the internet, which are among the products known to be vulnerable.
Contact Us Do you have more information about this hacking campaign, including what companies were targeted? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
Cisco said in a security advisory published earlier this week that the vulnerability exists in software for multiple products, including the company's Secure Email Gateway and Secure Email and Web Manager.
Cisco said these systems are only vulnerable if they are accessible from the Internet and have the “Spam Quarantine” feature enabled. According to Cisco, neither of these two conditions are enabled by default, which is why, relatively speaking, there don't seem to be many vulnerable systems on the Internet.
Cisco did not respond to a request for comment asking whether it could corroborate the numbers seen for Shadowserver and Censys.
An even bigger problem with this hacking operation is the lack of available patches. Cisco recommends that customers wipe and “restore the affected appliance to a secure state” as a way to remediate a breach.
“If a breach is confirmed, rebuilding the appliance is currently the only viable option to eradicate the threat actor's persistence mechanism from the appliance,” the company said in an advisory.
According to Talos, Cisco's threat intelligence arm, the hacking campaign has been ongoing since “at least late November 2025.”