Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-20393

Published 2025-12-17
Updated 4 months ago
Vendor/s
Cisco
Product/s
Multiple Products
Version/s
* > 15.0.5-016
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
10
/ 10
Critical
Severity Details
Base score
10 Critical
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Description

Critical CVSS 10.0 RCE in Cisco Secure Email products. Actively exploited vulnerability allows root access via Spam Quarantine. Patch immediately.

CPE

Cisco logo
Cisco
Product Version Start Version End (excl.) Status
asyncos * 15.0.5-016 vulnerable
asyncos 15.5 15.5.4-012 vulnerable
asyncos 16.0 16.0.4-016 vulnerable
secure_email_gateway_virtual_appliance_c100v - - unaffected
secure_email_gateway_virtual_appliance_c300v - - unaffected
secure_email_gateway_virtual_appliance_c600v - - unaffected
secure_email_gateway_c195 - - unaffected
secure_email_gateway_c395 - - unaffected
secure_email_gateway_c695 - - unaffected
asyncos * 15.0.2-007 vulnerable
asyncos 15.5 15.5.4-007 vulnerable
asyncos 16.0 16.0.4-010 vulnerable
secure_email_and_web_manager_virtual_appliance_m100v - - unaffected
secure_email_and_web_manager_virtual_appliance_m300v - - unaffected
secure_email_and_web_manager_virtual_appliance_m600v - - unaffected
secure_email_and_web_manager_m170 - - unaffected
secure_email_and_web_manager_m190 - - unaffected
secure_email_and_web_manager_m195 - - unaffected
secure_email_and_web_manager_m380 - - unaffected
secure_email_and_web_manager_m390 - - unaffected
secure_email_and_web_manager_m390x - - unaffected
secure_email_and_web_manager_m395 - - unaffected
secure_email_and_web_manager_m680 - - unaffected
secure_email_and_web_manager_m690 - - unaffected
secure_email_and_web_manager_m690x - - unaffected
secure_email_and_web_manager_m695 - - unaffected

Related weakness (CWE)

CWE-20

Remediation plan

1

Apply official patches

Immediately install the security updates provided by Cisco for AsyncOS Software to close the command execution vulnerability in the Spam Quarantine feature.

2

Update affected systems

Upgrade Secure Email Gateway to versions 15.0.5-016, 15.5.4-012, or 16.0.4-016, and Secure Email and Web Manager to 15.0.2-007, 15.5.4-007, or 16.0.4-010.

3

Restrict access

Limit access to the Spam Quarantine web interface using firewall rules or Access Control Lists (ACLs) to ensure only authorized internal IP addresses can reach the service.

4

Monitor for exploitation

Audit device logs for suspicious HTTP requests directed at the Spam Quarantine component and monitor for unauthorized root-level shell activity or unexpected configuration changes.

Detection Guidance

Detecting exploitation of CVE-2025-20393 involves monitoring web logs for malformed HTTP requests containing shell metacharacters or command injection payloads targeting the Spam Quarantine URI. Security teams should look for unusual system-level activity, such as the execution of 'whoami' or 'id' commands by the web server process. Additionally, check for unexpected outbound network traffic from the appliance, which could indicate a reverse shell or data staging by an attacker.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial