{"id":6265,"date":"2025-12-18T10:58:30","date_gmt":"2025-12-18T10:58:30","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6265"},"modified":"2025-12-18T10:58:30","modified_gmt":"2025-12-18T10:58:30","slug":"cisco-confirms-zero-day-exploitation-of-secure-email-products","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6265","title":{"rendered":"Cisco confirms zero-day exploitation of Secure Email products"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cisco has warned that a China-linked hacking group is actively exploiting a previously unknown vulnerability in its Secure Email appliances to gain persistent access, forcing affected organizations to consider disruptive rebuilds of critical security infrastructure while patches remain unavailable.<\/p>\n

Cisco Talos said the campaign has been active since at least late November<\/a>, raising concerns for security leaders about unseen compromise and how far incident response efforts may need to extend beyond the affected devices.<\/p>\n

[ Related:\u00a0<\/strong>More Cisco news and insights<\/strong><\/a>\u00a0]<\/strong><\/h5>\n

The vulnerability affects Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances running AsyncOS, but only in configurations where the Spam Quarantine feature is enabled and exposed to the internet, according to Cisco.<\/p>\n

The company said there is currently no patch available, and that rebuilding affected appliances is the only way to fully remove the attackers\u2019 persistence mechanisms in confirmed compromise cases.<\/p>\n

Enterprise exposure and risk scope<\/h2>\n

Cisco said that systems where the Spam Quarantine feature is not enabled are not affected, but analysts said this does not necessarily reduce enterprise risk<\/a>.<\/p>\n

\u201cThis vulnerability may remain a high-risk issue because affected appliances typically sit in privileged network positions, even though the feature is not enabled by default,\u201d said Sunil Varkey<\/a>, a cybersecurity analyst. \u00a0<\/p>\n

It is also not clear how many enterprises may have enabled the feature in production environments, said Keith Prabhu<\/a>, founder and CEO of Confidis.<\/p>\n

\u201cThe Spam Quarantine provides a way for administrators to review and release \u2018false positives,\u2019 i.e., legitimate email messages that the appliance has deemed to be spam,\u201d Prabhu said. \u201cIn today\u2019s remote support and 24\u00d77 operations, it is entirely possible that this feature has been enabled by many enterprises.\u201d<\/p>\n

Akshat Tyagi<\/a>, associate practice leader at HFS Research, said the bigger concern is the nature of the target. Unlike a user laptop or a standalone server, email security systems sit at the center of how organizations filter and trust email traffic, meaning attackers would be operating inside infrastructure designed to stop threats rather than receive them.<\/p>\n

\u201cThe fact that there\u2019s no patch yet elevates the risk further,\u201d Tyagi said. \u201cWhen the vendor\u2019s guidance is to rebuild appliances rather than clean them in place, it tells you this is about persistence and control, not just a one-off exploit.\u201d<\/p>\n

Varkey added that exploitation may not require direct internet exposure and could also occur from internal or VPN-reachable networks, advising organizations to close or restrict access to affected management ports temporarily.<\/p>\n

Rebuild guidance and operational tradeoffs<\/h2>\n

Cisco has said that wiping and rebuilding appliances is currently required in cases where compromise has been confirmed.<\/p>\n

\u201cFrom a security standpoint, it is indeed the right call,\u201d Tyagi said. \u201cWhen there\u2019s a risk that attackers have embedded themselves deep in a system, patching alone won\u2019t solve the issue. Rebuilding is the only way to be confident the threat is fully removed.\u201d<\/p>\n

But Varkey said that this may not be a viable option for many organizations, as it introduces business risks, including downtime, misconfiguration, and the potential reintroduction of persistence through contaminated backups.<\/p>\n

Enterprises will need to balance remediation speed with business continuity while relying on compensating controls to limit exposure. \u201cCisco Secure Email Gateway, Cisco Secure Email, and Web Manager are critical components of the email infrastructure,\u201d Prabhu said. \u201cOrganizations would need to plan this activity in a way that minimizes downtime, but at the same time reduces the time window of compromise. In the interim, they could use other security measures like blocking ports on the firewall to limit exposure.\u201d<\/p>\n

More Cisco news:<\/h4>\n

Cisco defines AI security framework for enterprise protection<\/a><\/p>\n

Cisco initiative targets device security<\/a><\/p>\n

Key takeaways from Cisco Partner Summit<\/a><\/p>\n

AI networking demand fueled Cisco\u2019s upbeat Q1 financial<\/a><\/p>\n

Cisco launches AI infrastructure, AI practitioner certifications<\/a><\/p>\n

Cisco centralizes customer experience around AI<\/a><\/p>\n

Cisco unveils integrated edge platform for AI<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cisco has warned that a China-linked hacking group is actively exploiting a previously unknown vulnerability in its Secure Email appliances to gain persistent access, forcing affected organizations to consider disruptive rebuilds of critical security infrastructure while patches remain unavailable. Cisco Talos said the campaign has been active since at least late November, raising concerns for […]<\/p>\n","protected":false},"author":0,"featured_media":6258,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6265"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6265"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6265\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6258"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}