Summary

• On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances.

  Cisco has remediated the vulnerability that was exploited by the threat actors as part of the cyberattack campaign. For more information about this vulnerability, see the Details section of this advisory.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  Cisco strongly recommends that customers follow the guidance provided in the Recommendations section of this advisory to assess exposure and mitigate risks.

  Cisco Talos wrote about these attacks in the blog post UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager.

  This advisory is available at the following link: 
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Affected Products

• Cisco has concluded its current investigation of this attack campaign. Cisco will update this advisory as appropriate as more information becomes available, although that is not currently anticipated.

  This attack campaign targets Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when all the following conditions are met:

  • The appliance is running a vulnerable release of Cisco AsyncOS Software.
  • The appliance is configured with the Spam Quarantine feature.
  • The Spam Quarantine feature is exposed to and reachable from the internet.

  Vulnerable Products

  The vulnerability exploited by the threat actors affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when the appliance is configured with the Spam Quarantine feature, which is not enabled by default. Deployment guides for these products do not require this feature to be directly exposed to the Internet.

  For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory.

  Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance

  To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.

  Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance

  To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  Cisco has confirmed that all devices that are part of Cisco Secure Email Cloud are not affected.

  Cisco is not aware of any exploitation activity against Cisco Secure Web.

Details

• Cisco has remediated the vulnerability exploited by the threat actors as part of the cyberattack campaign. Details about this vulnerability are as follows:

  CVE-2025-20393: Cisco Secure Email Gateway And Cisco Secure Email and Web Manager Remote Command Execution Vulnerability

  A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.

  This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  Bug ID(s): CSCws36549, CSCws52505
  CVE ID: CVE-2025-20393
  Security Impact Rating (SIR): Critical
  CVSS Base Score: 10.0
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Indicators of Compromise

• As part of the attack campaign described in this advisory, the threat actor implanted a persistent covert channel that was used to remotely access the compromised appliance.

  Customers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC) case. To expedite our investigation into the potential compromise, ensure that remote access is enabled on the affected appliances. For more guidance, see this tech note.

  Cisco strongly recommends following the guidance listed in the Recommendations section of this advisory.

Workarounds

• There are no workarounds identified that directly mitigate the risk concerning this attack campaign, but administrators can view and follow the guidance provided in the Recommendations section of this advisory.

Fixed Software

• Fixed Releases

  In the following tables, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

  Cisco Email Security Gateway

  Cisco AsyncOS Software Release	First Fixed Release
  14.2 and earlier	15.0.5-016
  15.0	15.0.5-016
  15.5	15.5.4-012
  16.0	16.0.4-016

  Secure Email and Web Manager

  Cisco AsyncOS Software Release	First Fixed Release
  15.0 and earlier	15.0.2-007
  15.5	15.5.4-007
  16.0	16.0.4-010

  The software can be upgraded over the network by using the System Upgrade options in the web-based management interface of the appliance.

  To upgrade a device by using the web-based management interface, do the following:

  1. Choose System Administration > System Upgrade.
  2. Click Upgrade Options.
  3. Click Download and Install.
  4. Choose a release to upgrade to.
  5. In the Upgrade Preparation area, choose the appropriate options.
  6. Click Proceed to begin the upgrade. A progress bar displays the status of the upgrade.

  After the upgrade is complete, the device reboots.

  To upgrade a device by using the CLI, do the following:

  1. Type upgrade.
  2. Select DOWNLOADINSTALL.
  3. Choose a release to upgrade to.
  4. Choose the appropriate options throughout the upgrade process.

  After the upgrade is complete, the device reboots. 

  Cisco Secure Email Cloud includes Cisco Secure Email Gateway and Cisco Secure Email and Web Manager devices as part of the service solution. Cisco provides regular maintenance of the products included in this solution. Customers can also request a software upgrade by contacting Cisco Secure Email Cloud support.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Recommendations

• Cisco recommends upgrading the affected appliances to a fixed software release. The fix addresses the vulnerability used by threat actors and clears the persistence mechanisms that were identified in this attack campaign and installed on the appliances.

  If administrators require confirmation to check whether the appliance has been compromised, Cisco recommends contacting TAC.

  The Useful Resources section contains additional information that is relevant to the attack campaign reported in this advisory.

  General Recommendations For Hardening               

  • Prevent access from the unsecured networks, such as the Internet, to the appliance. If internet access to the appliance is required, restrict appliance access to only known, trusted hosts on ports/protocols that are included in the user guides.
  • Protect Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances behind a filtering device such as a firewall, and filter traffic to/from the appliances while only allowing known, trusted hosts to send traffic to the appliances. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
  • For Cisco Secure Email Gateway, separate mail and management functionality onto separate network interfaces. This reduces the chance of unauthorized users accessing the internal Management Network. For more information, see the device user guides. 
  • Regularly monitor web log traffic for any unexpected traffic to/from appliances. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data.
  • Disable HTTP for the main administrator portal.
  • Disable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager user guides.
  • Upgrade the appliance to the latest version of Cisco AsyncOS Software.
  • Use a strong form of end-user authentication to the appliances, such as SAML or Lightweight Directory Access Protocol (LDAP). For more secure methods of authentication, see Authentication Options for End Users Accessing Spam Management Features.
  • Change the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators.
  • Use SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate.

  Useful Resources

  The following resources can help restore an affected appliance to a secure state. Some of the documents are related to a specific product, but the procedures are mostly interchangeable. If customers have specific questions about a procedure, contact TAC.

  To download replacement Virtual Appliances, visit the relevant Cisco Software Download page:

  • Cisco Secure Email Gateway
  • Cisco Secure Email and Web Manager

  For information about exporting reporting data from an appliance, see Working with Reports.

  For information about how to purge messages in the quarantine, see Spam Quarantine.

  For additional information, see Centralizing Policy, Virus, and Outbreak Quarantines.

Exploitation and Public Announcements

• In December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.

Source

• This vulnerability was found during the resolution of a Cisco Technical Assistance Center (TAC) support case.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Revision History

• Version	Description	Section	Status	Date
  2.0	Aligned with Cisco Business Unit fixes for code releases. Added information about the vulnerability. Added CSCws52505. Updated affected products and added fixed releases.	Header, Summary, Affected Products, Fixed Products	Final	2026-JAN-15
  1.0	Initial public release.	—	Interim	2025-DEC-17

  Show Less

---