A lightweight Python script to help organizations quickly identify exposure to CVE-2025-20393, a critical zero-day vulnerability in Cisco Secure Email Gateway (SEG) and Secure Malware Analytics (SMA), also known as Cisco Secure Email and Web Manager.
The tool “Cisco SMA Exposure Check” detects open ports and services that have been exploited in recent attacks, as detailed in Cisco’s advisory.
Developed by GitHub user StasonJatham and released publicly today, the script targets indicators of compromise tied to the flaw, which allows unauthenticated remote attackers to execute arbitrary code via exposed management and quarantine interfaces.
Attackers have weaponized ports like TCP 82, 83, 443, 8080, 8443, and 9443 for admin access, alongside quarantine endpoints on 6025, 82, 83, 8443, and 9443.
The tool scans these, performs HTTP/S fingerprinting (server headers, status codes, redirects, auth realms, Cisco-specific keywords, and version patterns), and checks common paths such as /quarantine, /spamquarantine, /spam, /sma-login, and /login.
It also grabs raw socket banners and flags indicators of active exploitation, including strings like “AquaShell,” “AquaTunnel,” “Chisel,” and “AquaPurge” – hallmarks of post-compromise tools observed in the wild.
Simple Deployment, No Dependencies
Requiring only Python 3’s standard library, the script runs in seconds:
textpython3 cisco-sa-sma-attack-N9bf4.py [-v] [-t ]
- -v: Verbose mode shows all checks.
- -t: Custom timeout (default: quick probes).
- Supports domains or direct IPs (bypasses DNS).
| Port Type | Exposed Ports | Risk Level |
|---|---|---|
| Admin/Mgmt | 82, 83, 443, 8080, 8443, 9443 | Critical |
| Quarantine/Spam | 6025, 82, 83, 8443, 9443 | High |
Results flag vulnerable configs, enabling admins to firewall ports, apply Cisco patches, or isolate systems urgently.
Cisco’s advisory warns of active exploitation, urging immediate mitigation. With no CVSS score published yet, the vulnerability’s unauthenticated RCE potential echoes past SMA flaws.
This tool fills a detection gap, empowering SecOps teams sans commercial scanners. StasonJatham stresses responsible use: “Only test authorized systems.”
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
