Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
On Wednesday, Cisco revealed this information a group of pirates supported by the Chinese government is exploiting the threat targeting its active customers who use some of the company’s most popular products.
Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Now, security researchers say there are hundreds of Cisco customers that could be hacked.
Piotr Kijewski, head of the non-profit organization Shadowserver Foundation that monitors and monitors the Internet for hacking campaigns, told TechCrunch that the number of exposures “looks like hundreds instead of thousands or thousands.”
Kijewski said the base isn’t seeing much activity, perhaps because “the attacks that are happening right now are looking.”
Shadowserver has a website which tracks the number of systems exposed and vulnerable to the vulnerability identified by Cisco, known as CVE-2025-20393. Vulnerability is known as a day zerobecause the bug was discovered before the company had time to patch it. As of press time, India, Thailand, and the United States together have the most affected systems within their borders.
Censys, a cyber security company that monitors cyber-theft incidents, is also seeing a few Cisco customers affected. According to the blog postCensys has identified 220 Cisco e-mail gateways exposed on the Internet, one of the most common vulnerabilities.
contact us
Do you have information about phishing campaigns? Which companies are they considering? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
In his defense counsel published earlier this week, Cisco said the vulnerability exists in software found in a number of products, including its Secure Email Solution and its Secure Email and Web Manager.
Cisco said the system is vulnerable if it can be accessed online, and has a “spam quarantine” feature. Neither of these two features is supported by default, according to Cisco, which may explain why it appears that, so to speak, not many systems are vulnerable on the Internet.
Cisco did not respond to a request for comment, asking if the company could confirm the numbers that Shadowserver and Censys saw.
The main problem with this hacking campaign is that there are no patches available. Cisco encourages customers to wipe and “restore the affected device to a secure state,” as a solution to any problem.
“If confirmed, updating the device is the only way to eliminate the threat’s impact on the device,” the company wrote in its advisory.
According to Cisco’s intelligence arm Talos, the hacking campaign has been going on since “late November 2025.”
