What is Cisco Secure Email Gateway?
Cisco Secure Email Gateway (SEG, formerly Email Security Appliance/ESA) and Cisco Secure Email and Web Manager (SEWM, formerly Content Security Management Appliance/SMA) are enterprise email security appliances that run Cisco's AsyncOS operating system. They provide inbound and outbound email filtering, anti-spam, anti-malware, data loss prevention, and email encryption for organizations. The Spam Quarantine feature holds suspected spam messages for user review via a web portal. Because email gateways sit at the perimeter and process all organizational email, compromising one provides persistent access to email content, attachment data, and a privileged network position for lateral movement.
Overview
CVE-2025-20393 is a maximum-severity improper input validation vulnerability (CWE-20, CVSS 10.0) in the Spam Quarantine feature of Cisco Secure Email Gateway and Secure Email and Web Manager appliances running AsyncOS. An unauthenticated remote attacker can send specially crafted HTTP requests to the Spam Quarantine interface to execute arbitrary OS commands with root privileges. The vulnerability was discovered by Cisco TAC during a customer incident response. China-linked APT UNC-9686 exploited it as a zero-day beginning in late November 2025, deploying custom AquaShell malware for persistent root-level access. Critically, CISA added the vulnerability to the KEV catalog on December 17, 2025 with a Christmas Eve deadline — at the time, no patches were available; fixes were not released until January 15, 2026.
Affected Versions
| Product | Vulnerable Versions | Fixed In |
|---|---|---|
| Cisco Secure Email Gateway (SEG) | AsyncOS 14.2 and earlier, 15.0, 15.5, 16.0 (Spam Quarantine enabled) | 15.0.5-016 / 15.5.4-012 / 16.0.4-016 |
| Cisco Secure Email and Web Manager (SEWM) | AsyncOS 15.0 and earlier, 15.5, 16.0 (Spam Quarantine enabled) | 15.0.2-007 / 15.5.4-007 / 16.0.4-010 |
Condition: Only vulnerable when the Spam Quarantine feature is enabled and the Spam Quarantine web interface is internet-accessible.
Technical Details
The vulnerability (CWE-20: Improper Input Validation) is in the Spam Quarantine HTTP request handler within AsyncOS. Specially crafted HTTP requests to the Spam Quarantine interface are not properly validated before being processed, allowing injection of arbitrary OS commands. Exploitation achieves code execution as root — the most privileged user on the AsyncOS appliance. The CVSS Scope:Changed (S:C) rating reflects that root OS access crosses the application boundary into the underlying system.
Discovery
Discovered by Cisco TAC during a customer support incident — indicating the vulnerability was identified while Cisco was actively responding to a customer breach.
Exploitation Context
UNC-9686 — a China-aligned threat actor — began exploiting CVE-2025-20393 as a zero-day approximately late November 2025, roughly 3 weeks before Cisco's advisory. Post-exploitation, UNC-9686 deployed AquaShell — custom malware providing persistent root-level access — to maintain long-term presence and pivot into internal networks via the compromised email gateway. Cisco confirmed the campaign on December 10, 2025. CISA added the vulnerability to the KEV catalog on December 17 with a 7-day Christmas Eve deadline (December 24), despite no patches being available at the time — a rare CISA action reflecting the severity of confirmed exploitation against federal email infrastructure. Patches were released on January 15, 2026.
Remediation
- Apply patches immediately (available January 15, 2026): SEG 15.0.5-016, 15.5.4-012, or 16.0.4-016; SEWM 15.0.2-007, 15.5.4-007, or 16.0.4-010.
- If patches are not yet applied, disable or restrict access to the Spam Quarantine web interface: in AsyncOS, disable the Spam Quarantine feature or restrict its web interface to trusted internal IP ranges only via access control policies.
- Check for AquaShell indicators: hunt for unexpected persistent processes or scheduled tasks running as root, unusual outbound connections from the email gateway, and new root-level files in AsyncOS system directories.
- Review email gateway logs for unusual HTTP requests to the Spam Quarantine interface from unexpected source IPs, particularly before December 17, 2025.
- Rotate credentials: any credentials accessible from the email gateway (LDAP bind credentials, Active Directory integration accounts, admin passwords) should be rotated.
- Follow Cisco's compromise assessment guidance in the advisory for checking signs of active exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-20393 |
| Vendor / Product | Cisco — Multiple Products |
| NVD Published | 2025-12-17 |
| NVD Last Modified | 2026-01-16 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-20 find similar ↗ |
| CISA KEV Added | 2025-12-17 |
| CISA KEV Deadline | 2025-12-24 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-11-25 | UNC-9686 begins active exploitation of Cisco Secure Email Gateway instances (zero-day) |
| 2025-12-10 | Cisco PSIRT confirms active exploitation campaign |
| 2025-12-17 | Cisco advisory published; CVE published; CISA adds to KEV catalog with 7-day Christmas Eve deadline — patches NOT yet available |
| 2026-01-15 | Cisco releases patches: SEG 15.0.5-016, 15.5.4-012, 16.0.4-016; SEWM 15.0.2-007, 15.5.4-007, 16.0.4-010 |
References
| Resource | Type |
|---|---|
| Cisco Security Advisory — cisco-sa-sma-attack-N9bf4 | Vendor Advisory |
| NVD — CVE-2025-20393 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Cisco Secure Email CVE-2025-20393 Analysis | News |
| eSentire — Cisco Zero-Day CVE-2025-20393 Exploited in the Wild | Security Research |
| SecPod — Zero-Day on Cisco Email Gateways Exploited by China-Linked Hackers | Security Research |