Patch STAT: Hospitals Urged to Apply Cisco Secure Email and Web Manager Updates ASAP

Alert essentials:

UPDATE: Cisco has released official patches for the previously unpatched, actively exploited zero‑day vulnerability CVE‑2025‑20393.

Ongoing attacks allow threat actors to execute arbitrary commands with root privileges on the underlying operating system of Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances.

Therefore, organizations operating affected versions should treat this as a high-priority security incident, check for compromise, and apply updated software versions immediately.

Detailed threat description:

CVE-2025-20393 is a critical, maximum-severity remote exploitation risk impacting Cisco appliances running Cisco AsyncOS for Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances configured with the Spam Quarantine feature.

This input validation flaw can be triggered remotely over the network with no prior privileges required and no user interaction. Since at least December 10, Cisco has been tracking a Chinese-nexus APT adversary known as UAT-9686 that has been targeting exposed appliances. After gaining root privileges on the underlying operating system, persistence is established with a lightweight Python backdoor to maintain control over compromised appliances.

All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, specific conditions must be met for both the physical and virtual versions of the Cisco Secure Email Gateway and the Cisco Secure Email and Web Manager appliance.  When the appliance is configured with the non-default Spam Quarantine feature, AND that feature is reachable from the internet, the device is vulnerable to attack and takeover.

This critical flaw has been exploited since at least November 2025 and was added to CISA’s known exploitable vulnerabilities with direction for federal agencies to mitigate by December 24, 2025. 

Updated versions of AsyncOS are available, and users can update their software over the network via the System Upgrade options in the appliances’ web-based management interface.

We strongly recommend that all administrators schedule to deploy updated product versions to maintain network integrity and avoid takeover.

Impacts on healthcare organizations:

Hospitals are high-value targets because of sensitive patient data and critical operations. Exploitation of CVE-2025-20393 could allow attackers to gain full control of email security appliances, potentially enabling data exfiltration or ransomware delivery via trusted channels.

Defenders should immediately audit configurations to ensure Spam Quarantine is not internet-facing and apply hardening guidance from the vendor advisory. Then follow up with regular monitoring for unusual activity. 

Affected Products / Versions

• All releases of Cisco AsyncOS Software
• Cisco Secure Email Gateway, physical and virtual, using the exposed Spam Quarantine feature
• Cisco Secure Email, physical and virtual, using the exposed Spam Quarantine feature
• Cisco Web Manager, physical and virtual, using the exposed Spam Quarantine feature

Not Affected:

• Cisco has confirmed that all devices in Cisco Secure Email Cloud are not affected
• Cisco is not aware of any exploitation activity against Cisco Secure Web

CVEs

• CVE-2025-20393, cwe-20, CVSS 10

Recommendations

• Schedule emergency maintenance windows if necessary
• Locate all devices using Cisco AsyncOS
• Upgrade the appliance to the latest version of Cisco AsyncOS Software
• Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance
• Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance
• If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible
• If restoring the appliance is not possible, Cisco recommends contacting its technical assistance center to verify whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism from the appliance
• Cisco strongly recommends restricting access to appliances and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks
• Regularly monitor web log traffic for any unexpected traffic to/from appliances.
• Disable HTTP for the main administrator portal
• Turn off any network services that are not required
• Use strong end-user authentication methods like SAML or LDAP
• Change the default administrator password
• Using SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

• ED 25-03 Guidance for Device Updates and Patching from CISA: https://www.cisa.gov/ed-25-03-guidance-device-updates-and-patching
• CISA Known Exploitable Vulnerabilities (KEV): https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
• Cisco Blog: https://blog.talosintelligence.com/uat-9686/
• Cisco GitHub IoCs: https://github.com/Cisco-Talos/IOCs/tree/main/2025/12
• Cisco Secure Email and Web Manager Downloads: https://software.cisco.com/download/home/286283259/type/286283388/release/16.0.2?i=!pp
• Cisco Secure Email Virtual Gateway Downloads: https://software.cisco.com/download/home/284900944/type/282975113/release/16.0.1?i=!pp
• Cisco Technical Assistance Center (TAC): https://www.cisco.com/c/en/us/support/index.html