Cisco Security Advisory
Click Icon to Copy Verbose Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X
-
On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain a degree of control over compromised appliances.
Cisco strongly recommends that customers follow the guidance provided in the Recommendations section of this advisory to assess exposure and mitigate risks.
Cisco Talos discussed these attacks in the blog post UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
-
Cisco continues to investigate this attack campaign. As the investigation progresses, Cisco will update this advisory as appropriate as more information becomes available.
Vulnerable Products
This attack campaign affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when both of the following conditions are met:
- The appliance is configured with the Spam Quarantine feature.
- The Spam Quarantine feature is exposed to and reachable from the internet.
The Spam Quarantine feature is not enabled by default. Deployment guides for these products do not require this port to be directly exposed to the Internet.
Note: All releases of Cisco AsyncOS Software are affected by this attack campaign.
Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance
To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.
Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance
To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory are known to be affected by this attack campaign.
Cisco has confirmed that all devices that are part of Cisco Secure Email Cloud are not affected.
Cisco is not aware of any exploitation activity against Cisco Secure Web.
-
As part of the attack campaign described in this advisory, the threat actor planted a persistent covert channel that was used to remotely access the compromised appliance.
Customers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC) case. To expedite our investigation into the potential compromise, please ensure that remote access is enabled on the affected appliances. For more guidance, see this tech note.
In any case, Cisco strongly recommends following the guidance listed in the Recommendations section of this advisory.
-
There are no workarounds identified that directly mitigate the risk concerning this attack campaign, but administrators can view and follow the guidance provided in the Recommendations section of this advisory.
-
If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible. For additional information, see Useful Resources at the end of this section.
If restoring the appliance is not possible, Cisco recommends contacting TAC to check whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.
In addition, Cisco strongly recommends restricting access to the appliance and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks.
General Recommendations For Hardening
- Prevent access from the internet to the appliance. If internet access to the appliance is required, restrict appliance access to only known, trusted hosts on ports/protocols that are included in the user guides.
- Protect Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances behind a filtering device such as a firewall, and filter traffic to/from the appliances while only allowing known, trusted hosts to send traffic to the appliances. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
- For Cisco Secure Email Gateway, separate mail and management functionality onto separate network interfaces. This reduces the chance of unauthorized users accessing the internal Management Network. For more information, see the device user guides.
- Regularly monitor web log traffic for any unexpected traffic to/from appliances. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data.
- Disable HTTP for the main administrator portal.
- Disable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager user guides.
- Upgrade the appliance to the latest version of Cisco AsyncOS Software.
- Use a strong form of end-user authentication to the appliances, such as SAML or Lightweight Directory Access Protocol (LDAP). For more secure methods of authentication, see Authentication Options for End Users Accessing Spam Management Features.
- Change the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators.
- Using SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate.
Useful Resources
The following resources can help restore an affected appliance to a secure state. Some of the documents are related to a specific product, but the procedures are mostly interchangeable. If customers have specific questions about a procedure, contact TAC.
To download replacement Virtual Appliances, visit the relevant Cisco Software Download page:
For information about exporting reporting data from an appliance, see Working with Reports.
For information about how to purge messages in the quarantine, see Spam Quarantine.
For additional information, see Centralizing Policy, Virus, and Outbreak Quarantines.
-
In December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.
-
This attack campaign was initially found during the resolution of a Cisco TAC support case.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.0 Initial public release. — Interim 2025-DEC-17
-
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC). Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades, customers are advised to regularly consult the advisories for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy for more information.