Hundreds of Cisco Customers at Risk of New Chinese Hacking Campaign

SadaNews - Cisco has revealed an electronic hacking campaign orchestrated by a government-backed hacking group from China, exploiting a serious security vulnerability to target institutional customers using some of its most well-known products.

Although Cisco has not disclosed the number of customers who have already been compromised or whether their systems remain at risk, security researchers have confirmed that hundreds of customers may be vulnerable to the attack.

Peter Kijewski, the CEO of the nonprofit Shadowserver Foundation, which monitors hacking campaigns around the world, stated that the level of exposure appears to be in the hundreds, not thousands or tens of thousands, according to a report published by Tech Crunch, which was reviewed by Al Arabiya Business.

Kijewski explained that the foundation is not currently tracking widespread activity, likely because the current attacks are selective and targeted.

Shadowserver is monitoring the security vulnerability officially revealed by Cisco under the code CVE-2025-20393, which is a Zero-Day vulnerability, meaning it was discovered before any official updates or patches were available.

As of the time of the report's publication, both India, Thailand, and the United States have reported dozens of affected systems within their borders.

For its part, the cybersecurity company Censys has identified a limited number of affected Cisco customers, noting in an official blog post the existence of 220 exposed email gateways online from Cisco products known to be affected by this vulnerability.

In its security bulletin issued at the beginning of the week, Cisco confirmed that the vulnerability exists in the software of several products, including Secure Email Gateway and Secure Email and Web Manager.

The company indicated that systems are only at risk of being compromised if they are available online and have the Spam Quarantine feature enabled, noting that these two settings are not enabled by default, which explains the relatively limited number of exposed systems.

The larger problem, according to experts, is that no security updates are currently available to address the vulnerability.

Cisco advises its customers to scan the affected systems and fully reconfigure them to restore them to a secure state.

The company stated in its announcement, "If a breach is confirmed, rebuilding the devices currently is the only available option to eliminate the attackers' foothold within the system."

According to Cisco's Talos Security Intelligence Unit, this hacking campaign has been ongoing since at least late November 2025, raising increasing concerns about the escalation of state-sponsored cyber attacks on businesses' digital infrastructure worldwide.