**Critical Cisco Secure Email Gateway Vulnerability Exploited in Ongoing Attacks**
Cisco has disclosed an active cyberattack campaign targeting vulnerabilities in its Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS Software. The flaw, tracked as CVE-2025-20393 (CVSS 10.0), allows threat actors to execute arbitrary commands with root privileges, enabling full system compromise.
The vulnerability affects both physical and virtual instances of the appliances when the Spam Quarantine feature is enabled and exposed to the internet—a configuration not enabled by default per Cisco’s deployment guidelines. Cisco Secure Email Cloud remains unaffected, and there is no evidence of exploitation targeting Cisco Secure Web.
Attack Details & Timeline
The campaign was first detected through a Cisco Technical Assistance Center (TAC) case, with Cisco Talos confirming active exploitation. Attackers exploited exposed ports to gain unauthorized root access, disable security tools, and establish persistence mechanisms for long-term control. Compromised appliances may require a full rebuild to remove embedded threats.
Mitigation & Hardening Measures
Cisco has stated that no direct workarounds exist for CVE-2025-20393. Organizations are advised to:
- Restrict appliance access to trusted hosts and avoid direct internet exposure.
- Deploy behind firewalls, filtering traffic to allow only authorized communication.
- Separate mail and management interfaces to limit internal access risks.
- Monitor web logs and forward them to external servers for analysis.
- Disable unnecessary services (HTTP, FTP) and enforce SSL/TLS with trusted certificates.
- Upgrade to the latest AsyncOS release and implement strong authentication (SAML, LDAP).
Broader Impact
The incident highlights risks posed by misconfigured network services, emphasizing the need for immediate exposure assessment, access restrictions, and continuous monitoring. Organizations should consult Cisco TAC if compromise is suspected.
Source: https://thecyberexpress.com/cisco-cve-2025-20393-secure-email-cyberattack/
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "CIS1766051696",
"linkid": "cisco",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Networking',
'location': 'Global',
'name': 'Cisco',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Exploiting misconfigured Spam Quarantine feature and '
'exposed ports',
'data_breach': {'data_exfiltration': 'Potential data exfiltration via covert '
'channels'},
'description': 'Cisco has identified an ongoing cyberattack campaign '
'exploiting vulnerabilities in Cisco AsyncOS Software for '
'Cisco Secure Email Gateway and Cisco Secure Email and Web '
'Manager appliances. The attack allows threat actors to '
'execute arbitrary commands with root privileges, implant '
'persistence mechanisms, and maintain long-term control over '
'compromised appliances. The vulnerability (CVE-2025-20393) is '
'critical with a CVSS 10.0 rating and affects appliances with '
'the Spam Quarantine feature enabled and exposed to the '
'internet.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'system compromise',
'operational_impact': 'Unauthorized root access, persistence '
'mechanisms, and potential data exfiltration',
'systems_affected': 'Cisco Secure Email Gateway and Cisco Secure '
'Email and Web Manager appliances'},
'initial_access_broker': {'backdoors_established': 'Persistence mechanisms '
'implanted',
'entry_point': 'Exposed Spam Quarantine feature and '
'ports'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Misconfigured ports and exposed services can lead to full '
'system compromise. Organizations must restrict access, '
'monitor logs, and follow security best practices to '
'mitigate risks.',
'post_incident_analysis': {'corrective_actions': ['Restrict appliance access '
'to trusted hosts',
'Upgrade to the latest '
'software',
'Rebuild compromised '
'appliances',
'Implement strong '
'authentication methods'],
'root_causes': 'Misconfigured Spam Quarantine '
'feature and exposed ports'},
'recommendations': ['Immediately assess exposure and restrict access to '
'appliances',
'Consult Cisco TAC for potential compromises',
'Continuously monitor and patch appliances',
'Leverage real-time vulnerability intelligence to detect '
'zero-day exploits',
'Follow Cisco’s security hardening recommendations'],
'references': [{'source': 'Cisco Advisory',
'url': 'cisco-sa-sma-attack-N9bf4'},
{'source': 'Cisco Talos Blog Post'},
{'source': 'Cyble'}],
'response': {'containment_measures': ['Restricting appliance access to known, '
'trusted hosts',
'Deploying appliances behind firewalls',
'Separating mail and management network '
'interfaces',
'Disabling unnecessary network services '
'(HTTP, FTP)',
'Using SSL/TLS with trusted '
'certificates'],
'enhanced_monitoring': 'Sending logs to external servers for '
'post-event analysis',
'network_segmentation': 'Separating mail and management network '
'interfaces',
'recovery_measures': ['Monitoring web logs and sending logs to '
'external servers',
'Reviewing deployment guides for security '
'best practices'],
'remediation_measures': ['Upgrading to the latest Cisco AsyncOS '
'Software release',
'Rebuilding compromised appliances',
'Implementing strong authentication '
'methods (SAML, LDAP)']},
'title': 'Cisco Secure Email Gateway and Web Manager Appliances Exploited via '
'CVE-2025-20393',
'type': 'Cyberattack',
'vulnerability_exploited': 'CVE-2025-20393'}