Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2025-2668 - Cisco AsyncOS for Secure Email Gateway: Vulnerability allows execution of arbitrary code with administrative rights

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-2668
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
5
Potential damage
high
remote anonymous attackerExploit available
Date
2025-12-18
Release
2026-01-16 UPDATE

Operating System

  • CISCO Appliance

Software

  • Cisco AsyncOS
  • Cisco Secure Email Gateway
  • UPDATE 2026-01-16
  • Cisco AsyncOS < 15.0.5-016
  • Cisco AsyncOS < 15.5.4-012
  • Cisco AsyncOS < 16.0.4-016

Attack

A remote anonymous attacker can exploit a vulnerability in Cisco AsyncOS and Cisco Secure Email Gateway in order to execute arbitrary code with administrative rights.

Description

Cisco AsyncOS is a proprietary operating system for Cisco Appliances. The Cisco Secure Email Gateway is a security solution for protecting email communication.

CVE-2025-20393

There is a vulnerability in Cisco AsyncOS Software for Cisco Secure Email Gateway. The flaw affects Cisco appliances configured with the Spam Quarantine feature that are exposed to and reachable from the internet. A remote anonymous attacker can exploit this vulnerability to execute arbitrary code with root privileges leading to complete system compromise.

CVSSv2 Base Score: 10.0 / Temporal Score: 9.5
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:W/RC:ND
CVSSv3.1 Base Score: 10.0 / Temporal Score: 9.7
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:W/RC:X

Cisco reports that the vulnerability CVE-2025-20393 is currently being exploited to deploy malware on affected systems.

Recommendation

Cisco describes recommended remediation measures. For further information please consult the vendor's advisory.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

There is currently patch available to fix this vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

UPDATE 2026-01-16

Cisco provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Information

Cisco Security Advisory cisco-sa-sma-attack-N9bf4 dated 2025-12-17
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Cisco Talos Blog dated 2025-12-17
https://blog.talosintelligence.com/uat-9686/

UPDATE 2026-01-16

Update on Cisco Security Advisory
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

References

CISCO-ADV-ID:CISCO-SA-SMA-ATTACK-N9BF4
CISCO-BUG:CSCWS36549
CVE:CVE-2025-20393

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2026 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.