Cisco has warned that threat actors are already exploiting a critical vulnerability in its widely deployed products, one that enables a complete takeover of affected systems, and that no patch was available at the time of disclosure. The company reported detecting the campaign on December 10, noting that the attacks target Cisco AsyncOS—specifically both physical and virtual deployments of Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager.
According to Cisco, the devices most at risk are those with the Spam Quarantine feature enabled and exposed to the internet. The company emphasized that Spam Quarantine is disabled by default and does not require public internet access, a factor that may significantly reduce the number of truly vulnerable installations. Michael Taggart, a researcher at UCLA Health Sciences, observed that the requirement for an internet-accessible management interface combined with enabled features narrows the attack surface for this vulnerability.
Security researcher Kevin Beaumont, however, described the situation as particularly troubling: the affected products are widely used by large enterprises, no patch is currently available, and it remains unclear how long attackers may have maintained backdoors in compromised environments. Cisco has not disclosed how many customers have been affected. In response to inquiries from TechCrunch, company spokesperson Meredith Corley declined to answer detailed questions, stating only that Cisco is actively investigating the incident and developing permanent remediation measures.
In the absence of a patch, Cisco’s current guidance effectively amounts to a full wipe and rebuild of the software stack on impacted products. The company stated explicitly that, where compromise is confirmed, rebuilding the devices is presently the only viable way to remove attacker persistence. According to Cisco Talos, the campaign is linked to China and other known Chinese state-aligned groups, with attackers leveraging a zero-day vulnerability to deploy durable backdoors. Talos researchers report that the campaign has been ongoing since at least late November 2025.