Hundreds of Cisco customers are vulnerable to new Chinese hacking campaign, researchers say

Cisco has not said how many of its customers have already been hacked, or may be running vulnerable systems. Now, security researchers say there are hundreds of Cisco customers who could potentially be hacked.

Piotr Kijewski, the chief executive of the nonprofit Shadowserver Foundation that scans and monitors the internet for hacking campaigns, told TechCrunch that the scale of exposure “seems more in the hundreds rather than thousands or tens of thousands.”

Kijewski said the foundation was not seeing widespread activity, presumably because “current attacks are targeted.”

Cisco said these systems are only vulnerable if they are reachable from the internet, and have its “spam quarantine” feature enabled. Neither of those two conditions are enabled by default, per Cisco, which would explain why there appears to be, relatively speaking, not that many vulnerable systems on the internet.

Cisco did not respond to a request for comment, asking if the company could corroborate the numbers seen by Shadowserver and Censys.

The bigger problem with this hacking campaign is that there are no patches available. Cisco recommends that customers wipe and “restore an affected appliance to a secure state,” as a way to remediate any breach.

“In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance,” the company wrote in its advisory.

According to Cisco’s threat intelligence arm Talos, the hacking campaign has been ongoing since “at least late November 2025.”