CVE-2025-20393
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: Cisco Systems, Inc.

Description
Cisco is aware of a potential vulnerability.  Cisco is currently investigating and will update these details as appropriate as more information becomes available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-20393
Affected Vendors & Products
Showing 21 associated CPEs
Vendor Product Version / Range
cisco asyncos to 16.0.3-044 (inc)
cisco secure_email_and_web_manager_virtual_appliance_m100v *
cisco secure_email_and_web_manager_virtual_appliance_m300v *
cisco secure_email_and_web_manager_virtual_appliance_m600v *
cisco secure_email_gateway_virtual_appliance_c100v *
cisco secure_email_gateway_virtual_appliance_c300v *
cisco secure_email_gateway_virtual_appliance_c600v *
cisco secure_email_and_web_manager_m170 *
cisco secure_email_and_web_manager_m190 *
cisco secure_email_and_web_manager_m195 *
cisco secure_email_and_web_manager_m380 *
cisco secure_email_and_web_manager_m390 *
cisco secure_email_and_web_manager_m390x *
cisco secure_email_and_web_manager_m395 *
cisco secure_email_and_web_manager_m680 *
cisco secure_email_and_web_manager_m690 *
cisco secure_email_and_web_manager_m690x *
cisco secure_email_and_web_manager_m695 *
cisco secure_email_gateway_c195 *
cisco secure_email_gateway_c395 *
cisco secure_email_gateway_c695 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-20393 is a critical vulnerability affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running Cisco AsyncOS. It allows remote attackers to execute arbitrary commands with root privileges on the underlying operating system of affected appliances. The attack targets appliances with the Spam Quarantine feature enabled and exposed to the internet, which is not enabled by default. Threat actors can plant a covert persistence mechanism to maintain long-term control over compromised devices. Both physical and virtual appliances are affected if the Spam Quarantine port is reachable from the internet. [1]

Impact Analysis

This vulnerability can have severe impacts including complete compromise of affected appliances. Attackers can execute arbitrary commands with root privileges, allowing them to control the device fully. They can maintain persistent access through covert channels, potentially leading to data breaches, disruption of email and web security services, and unauthorized access to sensitive information. Recovery requires restoring appliances to secure configurations or rebuilding compromised devices. [1]

Detection Guidance

To detect this vulnerability, administrators should check if the Spam Quarantine feature is enabled on affected Cisco appliances. This can be done by accessing the web management interface and navigating to Network > IP Interfaces for Cisco Secure Email Gateway, or Management Appliance > Network > IP Interfaces for Cisco Secure Email and Web Manager, and verifying if the Spam Quarantine checkbox is selected. Additionally, monitoring logs externally for suspicious activity is recommended. There are no specific commands provided in the advisory for detection. [1]

Mitigation Strategies

Immediate mitigation steps include restricting internet access to the affected appliances by using firewalls to limit access to trusted hosts, separating mail and management interfaces, disabling unnecessary services such as HTTP and FTP, enforcing strong authentication methods like SAML or LDAP, and changing default administrator passwords. Customers should upgrade to the latest Cisco AsyncOS software version and follow the detailed hardening guidelines provided in the advisory. If compromise is suspected, restore appliances to a secure configuration or rebuild compromised devices to remove persistence mechanisms, and open a Cisco TAC case with remote access enabled for investigation. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-20393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart