Cisco has identified an ongoing cyberattack campaign exploiting vulnerabilities in a subset of its appliances running Cisco AsyncOS Software. The attack specifically affects Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances, allowing threat actors to execute arbitrary commands with root privileges. This campaign has been tracked under CVE-2025-20393 and has been classified as critical with a CVSS 10.0 rating.
The vulnerability, detailed in Cisco Advisory ID cisco-sa-sma-attack-N9bf4, impacts appliances when the Spam Quarantine feature is enabled and exposed to the internet—a configuration not enabled by default according to Cisco deployment guides. Both physical and virtual instances of the affected appliances are vulnerable.
Cisco noted that the attack allows attackers to implant a persistence mechanism, maintaining long-term control over compromised appliances. The company has confirmed that appliance parts of Cisco Secure Email Cloud are not affected and that there is no evidence of exploitation against Cisco Secure Web.
Attack Detection and Timeline
The cyberattack was initially identified through a routine Cisco Technical Assistance Center (TAC) case. Following the discovery, Cisco Talos documented the threat in a blog post, noting the active targeting of Cisco Secure Email Gateway and Web Manager appliances. Evidence suggests that attackers leveraged exposed ports to gain unauthorized root access, disable security tools, and establish covert channels for ongoing remote access.
Administrators can check whether the Spam Quarantine feature is enabled by accessing the appliance’s web management interface:
- For Cisco Secure Email Gateway: Navigate to Network > IP Interfaces and select the interface configured for Spam Quarantine.
- For Cisco Secure Email and Web Manager: Navigate to Management Appliance > Network > IP Interfaces and select the relevant interface.
If the Spam Quarantine checkbox is enabled, the appliance is vulnerable.
No Direct Workarounds for CVE-2025-20393
Cisco has stated that no immediate workarounds exist to fully mitigate the risk of cyberattacks. Organizations are strongly urged to follow recommended mitigation steps to restore appliances to a secure configuration. If an appliance is suspected of compromise, Cisco recommends opening a TAC case and, in confirmed cases, rebuilding the appliance to eliminate the threat actors’ persistence mechanisms.
Additional security hardening recommendations include:
- Restricting appliance access to known, trusted hosts and avoiding direct exposure to the internet.
- Deploying appliances behind firewalls and filtering traffic to allow only authorized communication.
- Separating mail and management network interfaces for Cisco Secure Email Gateway to limit internal access risk.
- Regularly monitoring web logs and sending logs to external servers for post-event analysis.
- Disabling unnecessary network services such as HTTP and FTP and using SSL/TLS with certificates from trusted authorities.
- Upgrading appliances to the latest Cisco AsyncOS Software release.
- Implementing strong authentication methods like SAML or LDAP and creating dedicated administrator and operator accounts with passwords.
Cisco also recommends reviewing deployment guides for both Secure Email Gateway and Secure Email and Web Manager to ensure all security best practices are followed.
Broader Implications
The cyberattack on Cisco Secure Email Gateway and Web Manager shows how misconfigured ports can lead to full system compromise. Organizations are urged to immediately assess exposure, restrict access, and consult Cisco TAC for potential compromises, while continuously monitoring and patching appliances.
Leveraging Cyble’s real-time vulnerability intelligence can help detect zero-day exploits, new cyber threats, and high-risk vulnerabilities, enabling enterprises to prioritize and remediate critical risks efficiently.
Request a Cyble demo today to strengthen your organization’s cyber resilience.
