Secure Cyber Vulnerability Management

19/12/2025
Qualys-Threat-Protect

Cisco Releases Fix for Actively Exploited Zero-day Vulnerability (CVE-2025-20393)

by Deepanshu Jha

Cisco Talos discovered a cyberattack campaign targeting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Tracked as CVE-2025-20939, the vulnerability may allow an attacker to execute arbitrary commands with root privileges on the underlying operating system of targeted appliances. The vulnerability has a critical severity rating with a CVSS score of 10.

The security advisory states, “On December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.”

Vulnerability Details

The attack campaign targets a limited subset of appliances with specific ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Successful exploitation of the vulnerability allows an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism planted by the threat actors to maintain control over compromised appliances.

Affected Versions

The vulnerability affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when both of the following conditions are met:

  • The appliance is configured with the Spam Quarantine feature.
  • The Spam Quarantine feature is exposed to and reachable from the internet.

Note: The Spam Quarantine feature is not enabled by default.

All releases of Cisco AsyncOS Software are affected by this attack campaign.

Mitigation

Cisco has released patches to address the vulnerability. For more information, please refer to Cisco Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QIDs 317752 and 733541 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Comments are closed.

You may also like