Cisco has warned that a China-linked hacking group is actively exploiting a previously unknown vulnerability in its Secure Email appliances to gain persistent access, forcing affected organizations to consider disruptive rebuilds of critical security infrastructure while patches remain unavailable.
Cisco Talos said the campaign has been active since at least late November, raising concerns for security leaders about unseen compromise and how far incident response efforts may need to extend beyond the affected devices.
[ Related: More Cisco news and insights ]
The vulnerability affects Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances running AsyncOS, but only in configurations where the Spam Quarantine feature is enabled and exposed to the internet, according to Cisco.
The company said there is currently no patch available, and that rebuilding affected appliances is the only way to fully remove the attackers’ persistence mechanisms in confirmed compromise cases.
Enterprise exposure and risk scope
Cisco said that systems where the Spam Quarantine feature is not enabled are not affected, but analysts said this does not necessarily reduce enterprise risk.
“This vulnerability may remain a high-risk issue because affected appliances typically sit in privileged network positions, even though the feature is not enabled by default,” said Sunil Varkey, a cybersecurity analyst.
It is also not clear how many enterprises may have enabled the feature in production environments, said Keith Prabhu, founder and CEO of Confidis.
“The Spam Quarantine provides a way for administrators to review and release ‘false positives,’ i.e., legitimate email messages that the appliance has deemed to be spam,” Prabhu said. “In today’s remote support and 24×7 operations, it is entirely possible that this feature has been enabled by many enterprises.”
Akshat Tyagi, associate practice leader at HFS Research, said the bigger concern is the nature of the target. Unlike a user laptop or a standalone server, email security systems sit at the center of how organizations filter and trust email traffic, meaning attackers would be operating inside infrastructure designed to stop threats rather than receive them.
“The fact that there’s no patch yet elevates the risk further,” Tyagi said. “When the vendor’s guidance is to rebuild appliances rather than clean them in place, it tells you this is about persistence and control, not just a one-off exploit.”
Varkey added that exploitation may not require direct internet exposure and could also occur from internal or VPN-reachable networks, advising organizations to close or restrict access to affected management ports temporarily.
Rebuild guidance and operational tradeoffs
Cisco has said that wiping and rebuilding appliances is currently required in cases where compromise has been confirmed.
“From a security standpoint, it is indeed the right call,” Tyagi said. “When there’s a risk that attackers have embedded themselves deep in a system, patching alone won’t solve the issue. Rebuilding is the only way to be confident the threat is fully removed.”
But Varkey said that this may not be a viable option for many organizations, as it introduces business risks, including downtime, misconfiguration, and the potential reintroduction of persistence through contaminated backups.
Enterprises will need to balance remediation speed with business continuity while relying on compensating controls to limit exposure. “Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager are critical components of the email infrastructure,” Prabhu said. “Organizations would need to plan this activity in a way that minimizes downtime, but at the same time reduces the time window of compromise. In the interim, they could use other security measures like blocking ports on the firewall to limit exposure.”
More Cisco news:
- Cisco defines AI security framework for enterprise protection
- Cisco initiative targets device security
- Key takeaways from Cisco Partner Summit
- AI networking demand fueled Cisco’s upbeat Q1 financial
- Cisco launches AI infrastructure, AI practitioner certifications
- Cisco centralizes customer experience around AI
- Cisco unveils integrated edge platform for AI