Hundreds Of Cisco Customers Are Vulnerable To New Chinese Hacking Campaign, Researchers Say

Cisco customers targeted in new hacking campaign

Cisco customers around the world are facing fresh cybersecurity concerns after researchers confirmed a new hacking campaign tied to a Chinese government–backed group. The issue centers on a newly disclosed zero-day vulnerability affecting some of Cisco’s most widely used enterprise products. Security experts say hundreds of organizations may already be exposed, even if only a smaller number appear to be actively targeted so far. The attacks focus on systems that are directly accessible from the internet, increasing the urgency for businesses running these products. Cisco has acknowledged the flaw but has not released detailed figures on confirmed compromises. Researchers stress that the absence of mass exploitation does not reduce the seriousness of the risk. For many enterprises, the question now is not if they should act, but how fast.

Credit: Ramon Costa/SOPA Images/LightRocket / Getty Images

What Cisco revealed about the zero-day vulnerability

Cisco disclosed on Wednesday that attackers are exploiting a previously unknown flaw tracked as CVE-2025-20393. This type of vulnerability is known as a zero-day because it was discovered before patches were available. According to Cisco, the flaw affects select enterprise products commonly deployed in large corporate networks. While the company confirmed active exploitation, it stopped short of naming the specific hacking group responsible. Cisco also did not say how many customers may have already been breached. That lack of detail has left security teams relying heavily on independent researchers for clarity. Even so, Cisco urged customers to review their configurations and limit exposure where possible. The disclosure marks one of the more serious enterprise security alerts of the year.

Researchers warn exposure is “in the hundreds”

Independent researchers quickly moved to assess the real-world impact of the flaw. Piotr Kijewski, CEO of the nonprofit Shadowserver Foundation, said the number of exposed systems appears to be significant but not massive. According to Shadowserver’s scans, exposure “seems more in the hundreds rather than thousands or tens of thousands.” This estimate reflects systems that are reachable over the internet and running vulnerable software. Kijewski noted that Shadowserver is not seeing broad, automated exploitation at this stage. That pattern suggests attackers are being selective about their targets. However, targeted attacks often focus on higher-value organizations. For those affected, the consequences could still be severe.

Targeted attacks reduce noise but increase risk

The limited activity observed so far may sound reassuring, but experts caution against complacency. Targeted attacks are typically quieter and harder to detect than mass campaigns. Instead of scanning the entire internet indiscriminately, attackers focus on specific organizations or sectors. This approach reduces the chance of early discovery while maximizing strategic impact. Researchers believe this is why there has been no visible spike in attack traffic. For defenders, that makes early detection more challenging. A small number of successful breaches can still lead to significant intelligence or financial gains. As a result, even a “limited” campaign can pose outsized risks.

Shadowserver tracks vulnerable systems worldwide

Shadowserver has published a public tracking page monitoring exposure linked to CVE-2025-20393. The data shows dozens of affected systems across multiple countries. At the time of reporting, India, Thailand, and the United States accounted for a notable share of exposed systems. These numbers can change quickly as organizations patch or attackers shift focus. The foundation emphasizes that its scans only show externally visible systems. Internal deployments may also be vulnerable but are harder to measure. This means the true scale of risk could be larger than current estimates suggest. For security teams, the data serves as an early warning rather than a final count.

Censys confirms exposed Cisco email gateways

Another cybersecurity firm, Censys, has independently confirmed exposure tied to the same vulnerability. In a recent blog post, Censys reported observing 220 internet-exposed Cisco email gateways affected by the flaw. Email gateways are particularly sensitive because they sit at the edge of corporate networks. A successful compromise could allow attackers to monitor communications or move deeper into internal systems. Censys noted that not all exposed systems are necessarily compromised. Still, exposure alone significantly increases risk. The findings reinforce Shadowserver’s conclusion that the issue is widespread enough to demand immediate attention. Together, the two datasets paint a consistent picture of targeted but meaningful exposure.

Why Chinese-linked hacking groups matter

The alleged involvement of a Chinese government–backed group raises the stakes for affected organizations. State-sponsored actors typically have more resources, patience, and strategic objectives than criminal gangs. Their campaigns often focus on long-term access rather than quick disruption. This can include espionage, intellectual property theft, or positioning for future operations. For enterprises in critical sectors, the implications are especially serious. Even companies outside government or defense may hold data of strategic value. Researchers caution that attribution in cyber incidents is complex, but the tactics observed align with previous state-backed operations. That context makes rapid mitigation essential.

Cisco customers urged to act quickly

Security experts agree that Cisco customers should not wait for evidence of active exploitation before taking action. Organizations running affected products should immediately assess whether their systems are internet-facing. Reducing external exposure can significantly lower risk, even before patches are applied. Monitoring logs for unusual activity is also critical during this window. Cisco is expected to release fixes or additional guidance, but zero-day timelines can be unpredictable. In the meantime, layered defenses remain the best protection. Quick action now can prevent far more costly incidents later. For many teams, the next few days will be decisive.

What this incident says about enterprise security in 2025

The Cisco vulnerability highlights a broader trend shaping enterprise security in 2025. High-value infrastructure products continue to be prime targets for advanced threat actors. Even well-resourced vendors can be caught off guard by zero-day flaws. At the same time, attackers are becoming more selective and strategic. This combination makes early visibility and rapid response more important than ever. Organizations can no longer rely solely on perimeter defenses. Continuous monitoring and external intelligence are now core requirements. The incident serves as a reminder that cybersecurity remains a moving target.

A quiet campaign with loud implications

While the current campaign may appear limited, its implications are anything but small. Hundreds of exposed systems mean hundreds of potential entry points for a sophisticated attacker. The lack of widespread noise should not be mistaken for safety. History shows that some of the most damaging cyber operations began quietly. For Cisco customers, this moment is about prevention, not panic. Acting early can turn a serious vulnerability into a manageable incident. Ignoring it could lead to long-term consequences. As researchers continue to monitor the situation, vigilance remains the strongest defense.