| This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals. |
| A vulnerability has been discovered in Cisco AsyncOS, which could allow for remote code execution. AsyncOS is the operating system used by Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands with root-level privileges on the underlying operating system. |
| Threat Intelligence |
| Cisco confirmed active exploitation of a previously unknown, maximum-severity vulnerability affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS. The flaw, tracked as CVE-2025-20393, is already being abused in real-world attacks and allows threat actors to gain deep control over affected systems. The Cybersecurity and Infrastructure Security Agency added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog. |
| Systems Affected |
| All releases of Cisco AsyncOS Software are affected when both of the following conditions are met: The appliance is configured with the Spam Quarantine feature. The Spam Quarantine feature is exposed to and reachable from the internet. The Spam Quarantine feature is not enabled by default. Deployment guides for these products do not require this port to be directly exposed to the Internet. |
| Risk |
| Government: – Large and medium government entities: High – Small government entities: Medium |
| Businesses: – Large and medium business entities: High – Small business entities: Medium |
| Home Users: Low |
| Recommendations |
| Once available, apply appropriate workarounds provided by Cisco to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. |
| Reference |