Chinese Hackers Exploit Cisco Zero-Day Vulnerabilities Affecting Hundreds

On Wednesday, Cisco disclosed that a group of Chinese government-backed hackers is exploiting a zero-day vulnerability affecting its enterprise products. This vulnerability, identified as CVE-2025-20393, allows attackers to target customers using popular Cisco products, particularly the Secure Email Gateway and Secure Email and Web Manager.

Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, noted that the scale of exposure is likely in the hundreds rather than thousands, indicating targeted attacks rather than widespread exploitation.

Cisco has confirmed that the vulnerability is present in systems that are reachable from the internet with the spam quarantine feature enabled, conditions not set by default. As a response, Cisco has recommended that customers wipe and restore affected appliances to secure states, as there are currently no patches available.

Additionally, Censys, a cybersecurity firm, reported observing 220 internet-exposed Cisco email gateways vulnerable to this exploit. The ongoing hacking campaign has been tracked since at least late November 2025, suggesting a sustained threat to organizations utilizing Cisco products.