Ongoing Exploitation Campaign affecting Cisco Secure Email Gateway And Cisco Secure Email and Web Manager

CVE-2025-20393 could allow an attacker to execute arbitrary code with root privileges

Threat ID:: CC-4732
Threat Severity:: Medium
Published:: 18 December 2025 1:27 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-20393 could allow an attacker to execute arbitrary code with root privileges

Affected platforms

The following platforms are known to be affected:

Cisco AsyncOS for WSA

Cisco Secure Email Gateway

Cisco Secure Email and Web Manager

The following platforms are also known to be affected:

Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances are vulnerable when both of the following conditions are met:

The appliance is configured with the Spam Quarantine feature.
The Spam Quarantine feature is exposed to and reachable from the internet.

All releases of Cisco AsyncOS Software are affected by this attack campaign.

Cisco has confirmed that all devices that are part of Cisco Secure Email Cloud are not affected.

Threat details

CVE-2025-20393 Under Active Exploitation

Cisco is aware of a cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. As part of the exploitation campaign, Cisco has identified the deployment of malware including a backdoor used to maintain persistent access to the affected systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to their Known Exploited Vulnerabilities (KEV) Catalog.

The NHS England National CSOC assesses future exploitation as likely.

Introduction

Cisco has released a security advisory to address a critical vulnerability in Cisco's Email Security solutions formerly known as IronPort.

The vulnerability impact Cisco Secure Email Gateway, formerly known as Cisco Email Security Appliance (ESA), and Cisco Secure Email and Web Manager, formerly known as Cisco Content Security Management Appliance (SMA).

CVE-2025-20393 - an 'Improper Input Validation' vulnerability with a CVSSv3 score of 10.0 that could allow a remote attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Threat updates

Date	Update
16 Jan 2026	Patches released by Cisco to address CVE-2025-20393

Remediation advice

Affected organisations are encouraged to review Cisco's cisco-sa-sma-attack-N9bf4 security advisory and apply the relevant update as soon as possible.

Definitive source of threat updates

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4#vp

CVE Vulnerabilities

Status Published

CVE-2025-20393

Cisco is aware of a potential vulnerability.  Cisco is currently investigating and will update these details as appropriate as more information becomes available.

Last edited: 16 January 2026 2:52 pm