Cisco says Chinese hackers are exploiting its customers with a new zero-day

On Wednesday, Cisco announced hackers are exploiting a critical vulnerability in some of its most popular products that allows the full takeover of affected devices. Worse, there are no patches available at this time. In a security advisory, Cisco said it discovered a hacking campaign on December 10 targeting Cisco AsyncOS software, and in particular the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory said affected devices have a feature called “Spam Quarantine” enabled and are reachable from the internet. Cisco noted that this feature is not enabled by default and does not need to be exposed to the internet, which may be good news. Michael Taggart, a senior cybersecurity researcher at UCLA Health Sciences, told TechCrunch that “the requirement of an internet-facing management interface and certain features being enabled will limit the attack surface for this vulnerability.” However, Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign since a lot of big organizations use the affected products, there are no patches available, and it’s unclear how long the hackers had backdoors in the affected systems. At this point Cisco is not saying how many customers are affected. When reached by TechCrunch, Cisco spokesperson Meredith Corley did not answer a series of questions, and instead said that the company “is actively investigating the issue and developing a permanent remediation.” Contact Us Do you have more information about this hacking campaign? Such as what companies were targeted? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. The solution Cisco is suggesting to customers right now is essentially to wipe and rebuild the affected products’ software, as there is no patch available. “​​In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote. The hackers behind the campaign are linked to China and other known Chinese government hacking groups, according to Cisco Talos, the company’s threat intelligence research team, which published a blog post about the hacking campaign. The researchers wrote that the hackers are taking advantage of the vulnerability, which at this point is a zero-day, to install persistent backdoors, and that the campaign has been ongoing “since at least late November 2025.” Topics China, Cisco, cybersecurity, hackers, hacking, infosec, Security Lorenzo Franceschi-Bicchierai Senior Reporter, Cybersecurity Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy. You can contact or verify outreach from Lorenzo by emailing lorenzo@techcrunch.com, via encrypted message at +1 917 257 1382 on Signal, and @lorenzofb on Keybase/Telegram.

View Bio Dates TBD Locations TBA Plan ahead for the 2026 StrictlyVC events. Hear straight-from-the-source candid insights in on-stage fireside sessions and meet the builders and backers shaping the industry. Join the waitlist to get first access to the lowest-priced tickets and important updates.

Waitlist Now Most Popular Google tests an email-based productivity assistant Ivan Mehta DoorDash driver faces felony charges after allegedly spraying customers’ food Anthony Ha With iOS 26.2, Apple lets you roll back Liquid Glass again — this time on the Lock Screen Sarah Perez Google launched its deepest AI research agent yet — on the same day OpenAI dropped GPT-5.2 Julie Bort Disney hits Google with cease-and-desist claiming ‘massive’ copyright infringement Aisha Malik OpenAI fires back at Google with GPT-5.2 after ‘code red’ memo Rebecca Bellan Google debuts ‘Disco,’ a Gemini-powered tool for making web apps from browser tabs Sarah Perez