6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2025-20393 is a critical improper input validation vulnerability (CVSS 10.0) in Cisco AsyncOS software affecting Cisco Email Security Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM). Actively exploited as a zero-day, it enables unauthenticated remote attackers to execute arbitrary commands with root privileges. Cisco has issued an advisory with interim mitigations; no permanent fix is available yet. Administrators should immediately restrict access to vulnerable services, apply segmentation, and disable non-essential external interfaces until patches are released.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Improper Input Validation Vulnerability Leading to Remote Code Execution in Cisco Email Security Gateway and Cisco Secure Email and Web Manager
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20393
Exploit or Proof of Concept (PoC): CVE-2025-20393 is confirmed to be actively exploited in the wild. Cisco has disclosed that attackers are abusing this vulnerability as a zero-day to compromise Cisco Email Security Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. Observed attacks involve unauthenticated remote exploitation resulting in arbitrary command execution with root privileges.
Update:
Cisco has published an active security advisory documenting the vulnerability, exposure conditions, and interim guidance. At the time of disclosure, a permanent software fix was not yet available. Administrators must closely follow Cisco's advisory for updates, mitigations, and patch availability: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
Description:
CVE-2025-20393 is an improper input validation vulnerability in Cisco AsyncOS software affecting Cisco Email Security Gateway and Cisco Secure Email and Web Manager. The flaw allows unauthenticated remote attackers to send crafted requests to exposed services, resulting in improper handling of input and subsequent execution of arbitrary operating system commands.
Mitigation Recommendation:
Immediately identify all Cisco Email Security Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS, especially those exposed to untrusted or internet-facing networks.
Until a vendor patch is released, strictly restrict access to vulnerable services using firewall rules, network segmentation, VPN access, or IP allowlists.
Disable or limit exposure of non-essential features such as externally accessible management, reporting, or quarantine interfaces where possible.
