CVE-2025-20393

CriticalCISA KEVActive Exploitation

Published: 17 December 2025

Published

17 December 2025

Modified

16 January 2026

KEV Added

17 December 2025

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0680 91.4th percentile

Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root…

privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patches directly eliminates the input validation vulnerability enabling root command execution.

SI-10 Information Input Validation good match

prevent

Mandates validation of HTTP request inputs to the Spam Quarantine feature, directly addressing the improper input validation (CWE-20) root cause.

SC-7 Boundary Protection partial match

prevent

Boundary protection at external interfaces filters crafted HTTP requests to the vulnerable Spam Quarantine feature before they reach the flawed validation logic.

Security SummaryAI

CVE-2025-20393 is a critical vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. It stems from insufficient validation of HTTP requests (CWE-20: Improper Input Validation), enabling an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and was published on 2025-12-17.

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted HTTP request to the affected device. Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root privileges, potentially leading to full compromise of the device.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4 provides details on mitigation and available patches. Additionally, the vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393, indicating active exploitation in the wild.

Details

CWE(s): CWE-20
KEV Date Added: 17 December 2025

Affected Products

cisco

asyncos

≤ 15.0.5-016 · 15.5 — 15.5.4-012 · 16.0 — 16.0.4-016

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to execute arbitrary root commands via crafted HTTP requests to the public-facing Spam Quarantine feature, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
Vendor Advisory · psirt@cisco.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0