Cisco has confirmed an ongoing cyberattack campaign targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances, in which threat actors are executing arbitrary commands with root-level privileges on affected systems.
The company became aware of the attack on December 10, 2025, following an investigation of a TAC support case that revealed evidence of persistent backdoors installed by attackers to maintain unauthorized access to compromised appliances.
Vulnerability Details
The vulnerability, tracked as CVE-2025-20393, affects the Spam Quarantine feature in Cisco AsyncOS Software and carries a critical CVSS base score of 10.0.
The flaw stems from insufficient validation of HTTP requests, allowing unauthenticated remote attackers to send crafted HTTP requests and execute arbitrary system commands with root privileges.
| CVE ID | CVSS Score | Severity | Affected Products |
| CVE-2025-20393 | 10.0 | Critical | Cisco Email Gateway, Email & Web Manager |
The weakness is categorized under CWE-20 (Improper Input Validation), representing a fundamental security control failure.
The attack specifically targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances when three conditions are met: the device runs vulnerable AsyncOS software releases, the Spam Quarantine feature is enabled, and this feature is exposed directly to the internet.
Notably, the Spam Quarantine feature is not enabled by default, and Cisco deployment guides do not recommend exposing it to internet-facing networks.
Cisco has released patched software versions addressing the vulnerability. Affected customers should upgrade to: Cisco Email Security Gateway 15.0.5-016, 15.5.4-012, or 16.0.4-016; Cisco Secure Email and Web Manager 15.0.2-007, 15.5.4-007, or 16.0.4-010. No workarounds are available; patching is mandatory for exposed appliances.
According to Cisco strongly recommends immediate upgrades to fixed releases, which both remediate the vulnerability and clear identified persistence mechanisms.
Organizations should verify Spam Quarantine status via web management interfaces and consider restricting appliance access behind firewalls and limiting connectivity to known trusted hosts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.