China-linked hackers exploit hidden flaw in US-made internet security devices

Cybersecurity experts are warning that the very tools designed to protect organisations’ email and web traffic have become a prime target for hackers, after a China-linked group was found breaking into widely used American security equipment.

Cisco said attackers were exploiting a previously unknown weakness in its email and web security appliances — systems that often sit at the edge of corporate networks and filter huge volumes of incoming data.

Because these devices are trusted and always online, compromising them can give hackers a powerful foothold inside an organisation.

What makes this attack different

Cisco Talos, the company’s in-house security research team, said the flaw was a so-called “zero-day” vulnerability — meaning it was unknown to the manufacturer and defenders at the time of the attacks, leaving victims with no warning and no patch.

In simple terms, the bug allowed attackers to take full control of affected devices, giving them the same level of access as an administrator. From there, they could run commands, install malicious software, and potentially move deeper into internal networks.

Who is believed to be responsible

Cisco Talos said the activity is linked to a hacking group it tracks as UAT-9686. Based on the digital infrastructure and tools used, Talos assessed with “moderate confidence” that the attackers are connected to the Chinese state.

The hackers used custom software designed to maintain long-term access and quietly erase evidence of their activity, suggesting a focus on stealth rather than immediate disruption.

Why email security systems are high-value targets

Email gateways are one of the first lines of defence against phishing, malware, and espionage attempts. If an attacker controls that gateway, they can potentially monitor communications, block security alerts, or inject malicious messages that appear legitimate.

Security analysts say attacks on these “edge devices” are becoming more common because they combine broad visibility with weaker monitoring than internal servers.

Government warning and response

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its list of actively exploited vulnerabilities, warning that it poses a real risk to organisations using the affected devices.

CISA has instructed federal agencies to address the issue by December 24, even though Cisco has not yet released a full software fix. Cisco has published guidance on steps customers can take to reduce exposure in the meantime.

Part of a growing pattern

While this incident has been linked to China, analysts say the bigger trend is the increasing focus on hacking network “gatekeepers” — devices that sit between the open internet and private systems.

By targeting these choke points, attackers can bypass many traditional defences in a single move, making zero-day exploits against edge infrastructure one of the most concerning developments in modern cyber warfare.

Sources: CISA, GreyNoise, SonicWall

This article is made and published by Asger Risom, who may have used AI in the preparation