It is also not clear how many enterprises may have enabled the feature in production environments, said Keith Prabhu, founder and CEO of Confidis.
“The Spam Quarantine provides a way for administrators to review and release ‘false positives,’ i.e., legitimate email messages that the appliance has deemed to be spam,” Prabhu said. “In today’s remote support and 24×7 operations, it is entirely possible that this feature has been enabled by many enterprises.”
Akshat Tyagi, associate practice leader at HFS Research, said the bigger concern is the nature of the target. Unlike a user laptop or a standalone server, email security systems sit at the center of how organizations filter and trust email traffic, meaning attackers would be operating inside infrastructure designed to stop threats rather than receive them.
“The fact that there’s no patch yet elevates the risk further,” Tyagi said. “When the vendor’s guidance is to rebuild appliances rather than clean them in place, it tells you this is about persistence and control, not just a one-off exploit.”
Varkey added that exploitation may not require direct internet exposure and could also occur from internal or VPN-reachable networks, advising organizations to close or restrict access to affected management ports temporarily.
Rebuild guidance and operational tradeoffs
Cisco has said that wiping and rebuilding appliances is currently required in cases where compromise has been confirmed.
