Cisco warns of fresh cyber intrusions

Cisco has said that a sophisticated group of China-linked hackers is actively exploiting a previously unknown vulnerability to breach the networks of its customers, raising concerns across governments and large enterprises that rely on the company’s equipment for critical communications and data traffic.

The company disclosed that the attackers have been using a zero-day flaw to gain unauthorised access to affected systems before patches were available, allowing them to move laterally inside networks, exfiltrate data and establish long-term persistence. Cisco said the activity was identified through a combination of internal telemetry, customer reports and threat-hunting operations, prompting an urgent security advisory and mitigation guidance.

According to the company, the exploit targets components widely deployed in enterprise and service-provider environments, increasing the potential scale of exposure. Cisco said it had not found evidence that the vulnerability was used in mass, automated attacks, suggesting the campaign was selective and intelligence-driven. Security teams were advised to assume that compromised devices could have been used as entry points for deeper network access rather than isolated incidents.

The hackers are assessed to be linked to a long-running cluster associated by Western governments and cybersecurity firms with China’s state-aligned cyber-espionage apparatus. Such groups are known for patient, stealthy operations that prioritise access to strategic networks over immediate financial gain. Cisco did not name the group but said the tactics, techniques and procedures matched patterns previously observed in campaigns targeting telecommunications providers, government agencies and defence-linked contractors.

The disclosure adds to mounting evidence that network infrastructure vendors remain prime targets for advanced threat actors. By compromising routers, switches or security appliances, attackers can gain visibility into vast amounts of traffic while evading traditional endpoint detection tools. Analysts say this approach allows intruders to remain undetected for extended periods, particularly in environments where network devices are patched less frequently than servers or user machines.

Cisco said it has released software updates to address the flaw and urged customers to apply patches immediately. For systems that cannot be updated at once, the company recommended temporary workarounds, including disabling exposed services and tightening access controls. It also advised organisations to review logs for signs of unusual authentication activity, configuration changes or outbound connections to unfamiliar destinations.

The incident underscores a broader trend in which zero-day vulnerabilities are increasingly weaponised by state-linked actors rather than reserved for criminal markets. Researchers note that such flaws are valuable for espionage because they allow access without triggering known signatures. The speed with which the vulnerability was exploited suggests prior knowledge, raising questions about how long it may have been discovered and stockpiled before use.

Governments have repeatedly warned that cyber operations form an integral part of strategic competition, particularly in the contest for technological and geopolitical influence. Accusations of state-backed hacking are routinely denied by Beijing, which has said it opposes all forms of cybercrime and itself faces persistent attacks. Nonetheless, officials in several countries have pointed to a pattern of intrusions aimed at intellectual property, critical infrastructure and policy-making institutions.

For enterprises, the episode highlights the difficulty of defending against threats that originate deep within trusted infrastructure. Security specialists say organisations should treat network devices as high-value assets requiring the same level of monitoring as servers and cloud workloads. This includes continuous vulnerability scanning, rapid patch management and network segmentation to limit the impact of a single compromised component.

Cisco said it is working closely with customers and public-sector partners to share indicators of compromise and improve collective defences. The company also said it has expanded its threat intelligence efforts to detect similar exploitation attempts earlier, acknowledging that vendors play a central role in the security posture of global networks.