**HUNDREDS OF CISCO CUSTOMERS VULNERABLE TO NEW CHINESE HACKING CAMPAIGN**

On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company's most popular products. The scale of exposure is estimated to be in the hundreds, rather than thousands or tens of thousands, according to security researchers.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation, which scans and monitors the internet for hacking campaigns, told TechCrunch that "the current attacks are targeted" and therefore not widespread. The foundation is tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, known as CVE-2025-20393.

As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders. Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers.

Cisco has not said how many of its customers have already been hacked or may be running vulnerable systems. The company's security advisory published earlier this week stated that the vulnerability is present in software found in several products, including its Secure Email Gateway and its Secure Email and Web Manager.

Cisco explained that these systems are only vulnerable if they are reachable from the internet and have its "spam quarantine" feature enabled. Neither of those two conditions are enabled by default, which would explain why there appears to be relatively few vulnerable systems on the internet.

However, the bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and "restore an affected appliance to a secure state" as a way to remediate any breach. This means rebuilding the appliances is currently the only viable option to eradicate the threat actors' persistence mechanism from the appliance.

According to Cisco's threat intelligence arm Talos, the hacking campaign has been ongoing since at least late November 2025. The vulnerability was discovered before patches were available, making it a zero-day flaw.

**WHO IS AFFECTED?**

The Shadowserver Foundation is tracking dozens of affected systems in India, Thailand, and the United States. Censys, a cybersecurity firm, has observed 220 internet-exposed Cisco email gateways, one of the products known to be vulnerable.

**WHAT CAN CISCO CUSTOMERS DO?**

Cisco recommends that customers wipe and "restore an affected appliance to a secure state" as a way to remediate any breach. This means rebuilding the appliances is currently the only viable option to eradicate the threat actors' persistence mechanism from the appliance.

**WHO IS BEHIND THE HACKING CAMPAIGN?**

Cisco's security advisory published earlier this week stated that the vulnerability is being exploited by a group of Chinese government-backed hackers. However, the exact identity and intentions of the hacking group are still unknown.

**HOW TO CONTACT TECHCRUNCH WITH TIPS OR INFORMATION**

Do you have more information about this hacking campaign? Such as what companies were targeted? From a non-work device, contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.

Stay ahead of the latest cybersecurity threats by following TechCrunch's dedicated coverage. Sign up for our daily newsletter to receive updates on the most critical stories in tech.