On Wednesday, Cisco revealed that a group of Chinese government-backed hackers is exploiting a vulnerability to target its enterprise customers who use some of the company’s most popular products.
Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be hacked.
Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told News that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.”
Kijewski said the foundation was not seeing widespread activity, presumably because “current attacks are targeted.”
Shadowserver has a page where it’s tracking the number of systems that are exposed and vulnerable to the flaw disclosed by Cisco, named officially as CVE-2025-20393. The vulnerability is known as a zero-day, because the flaw was discovered before the company had time to make patches available. As of press time, India, Thailand, and the United States collectively have dozens of affected systems within their borders.
Censys, a cybersecurity firm that monitors hacking activities across the internet, is also seeing a limited number of affected Cisco customers. According to a blog post, Censys has observed 220 internet-exposed Cisco email gateways, one of the products known to be vulnerable.
Contact Us
Do you have more information about this hacking campaign? Such as what companies were targeted? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
In its security advisory published earlier this week, Cisco said that the vulnerability is present in software found in several products, including its Secure Email Gateway and its Secure Email and Web Manager.
Cisco said these systems are only vulnerable if they are reachable from the internet, and have its “spam quarantine” feature enabled. Neither of those two conditions are enabled by default, per Cisco, which would explain why there appears to be, relatively speaking, not that many vulnerable systems on the internet.
Cisco did not respond to a request for comment, asking if the company could corroborate the numbers seen by Shadowserver and Censys.
The bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and “restore an affected appliance to a secure state,” as a way to remediate any breach.
“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote in its advisory.
According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since “at least late November 2025.”
