Cisco: Zero-Day Exploit Hits Key Security Products, Need System Rebuilding -

Post Views: 15

“Cisco is pushing system rebuilding after a zero-day exploit hit key security products.”

Due to a recently revealed hacking campaign that took advantage of a serious, unpatched vulnerability in some of Cisco’s most popular security products, the company was forced to make an unusual recommendation: customers who confirm a compromise may need to wipe and completely rebuild affected systems because there is currently no software fix.

A Zero-Day Without an Instant Solution

This week, Cisco revealed that hackers are actively taking advantage of a serious flaw in some devices that use its AsyncOS software, such as Web Manager, Cisco Secure Email Gateway, and Cisco Secure Email.

According to the company’s security alert, the vulnerability enables attackers to completely take control of impacted devices.

The lack of a fix has worried both security researchers and consumers. Cisco has admitted that there isn’t a software upgrade available right now that can fix the vulnerability. Customers have been informed by the company that rebuilding compromised appliances from scratch is now the only practical method to stop the attackers’ ongoing access in cases of proven breach.

Cisco

“Rebuilding the appliances is presently the only practical way to remove the threat actor’s persistence mechanism from the device in the event of a verified compromise.”

Cisco, the assaults target systems that have the “Spam Quarantine” capability activated and those that have an online management interface.

According to security experts, the flaw is a zero-day vulnerability, which means that it was being used before a remedy or mitigation was made available. Although researchers think the activity may have started weeks earlier, Cisco claimed to have uncovered the hacking campaign on December 10.

How Does the Attack Operate and Who Is Most at Risk?

In order to drastically lower the number of vulnerable computers, the company stressed that the feature is not enabled by default and does not require online exposure.

However, big businesses use the impacted products extensively, which makes the campaign especially troubling. Security expert Kevin Beaumont, who monitors hacking activities, told TechCrunch that the risk is increased by the absence of fixes and the ambiguity around the duration of an attacker’s access.

Kevin Beaumont

“These days, it goes beyond simple exploitation when an organization is impacted.”

“It has to do with not knowing how long persistent backdoors might have existed.”

Michael Taggart, Senior Cybersecurity Researcher, UCLA Health Sciences

Compared to several recent mass exploits, the attack surface is smaller.

Although it does not completely remove the risk, he stated that requiring an internet-facing administration interface and certain functionalities to be enabled “will limit the attack surface for this vulnerability.”

Links to Hacking Groups Supported by China

The company’s threat intelligence division, Cisco Talos, has connected the effort to Chinese hackers and organizations that were previously involved in cyber operations supported by the Chinese government.

Researchers, Cisco Talos

The vulnerability is being used by attackers to create persistent backdoors that provide long-term access to infected systems, according to a blog post by Talos researchers describing the discoveries.

According to Talos, the effort has been going on “since at least late November 2025,” indicating that certain organizations might have been hacked for weeks prior to the activity being made public.

The purported connections to well-known Chinese hacking groups situate the incident within a larger pattern of cyber espionage activities targeting enterprise infrastructure and security appliances, even though Cisco has not linked the attacks to any particular state entity.

Unresolved Issues and an Ongoing Probe

Cisco failed to provide specific answers regarding the extent of the breaches and has not disclosed the number of customers impacted.

Meredith Corley, Cisco Spokesperson, TechCrunch

The business is “developing a permanent remediation and actively investigating the issue.”

Organizations using the impacted products are currently forced to make tough decisions between limiting internet access to administrative interfaces, pulling systems offline to rebuild them, and determining whether attackers might still have concealed access.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Amazon: Years-Long GRU Cyber Campaign Aimed at Energy & Cloud Infrastructur