Fortified Central Command
Security Incident

Threat Bulletin

CISA Mandates Emergency Triage onCisco Email Appliances Under Exploit

Alert essentials:

An attack that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of Cisco Email is ongoing, with increasing activity. To date, no patches are available, and the CVE was added to the CISA known exploited vulnerabilities list (KEV).

CISA added the weakness to its KEV list on December 17, and federal agencies must mitigate the risk by December 24, 2025. Generally, agencies are allotted 15 days to remediate KEV entries, and allowing only a week indicates this is a significant risk that should be addressed immediately.

EMAIL TEAM

Detailed threat description:

CVE-2025-20393 is a maximum-severity critical remote-exploitation risk impacting Cisco appliances running Cisco AsyncOS for Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager appliances configured with the Spam Quarantine feature.

This input validation flaw can be triggered remotely over the network with no prior privileges required and no user interaction. Since at least December 10, Cisco has tracked a Chinese-nexus APT adversary known as UAT-9686, which has targeted exposed appliances. After gaining root privileges on the underlying operating system, persistence is established with a lightweight Python backdoor to maintain control over compromised appliances.

All releases of Cisco AsyncOS Software are affected. However, for successful exploitation to occur, specific conditions must be met for both physical and virtual versions of the Cisco Secure Email Gateway and the Cisco Secure Email and Web Manager appliance. When the appliance is configured with the non-default Spam Quarantine feature, AND that feature is reachable from the internet, the device is vulnerable to attack and takeover.

This critical flaw was added to CISA’s list of known exploitable vulnerabilities, with expedited direction for federal agencies to mitigate it by December 24, 2025. No patches or workarounds have been identified to mitigate the risks of this campaign.

If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration using the recommendations in the manufacturer’s advisory.

However, in the event of a confirmed compromise, rebuilding the appliances is currently the only viable option to eradicate the threat actor’s persistence mechanism from the device. For compromise investigations, IoCs are available in Cisco’s GitHub repository.

We strongly recommend that administrators schedule an emergency procedure to maintain network integrity and avoid takeover.

Impacts on healthcare organizations:

Hospitals are high-value targets because of sensitive patient data and critical operations. Exploitation of CVE-2025-20393 could allow attackers to gain full control of email security appliances, potentially enabling data exfiltration or ransomware delivery via trusted channels.

Defenders should immediately audit configurations to ensure Spam Quarantine is not internet-facing and apply hardening guidance from the vendor advisory. Then follow up with regular monitoring for unusual activity.

Affected Products / Versions

  • All releases of Cisco AsyncOS Software
  • Cisco Secure Email Gateway, physical and virtual, using the exposed Spam Quarantine feature
  • Cisco Secure Email, physical and virtual, using the exposed Spam Quarantine feature
  • Cisco Web Manager, physical and virtual, using the exposed Spam Quarantine feature
  • Not Affected:
  • Cisco has confirmed that all devices in Cisco Secure Email Cloud are not affected
  • Cisco is not aware of any exploitation activity against Cisco Secure Web

CVEs

  • CVE-2025-20393, cwe-20, CVSS 10

Recommendations

  • Schedule emergency maintenance windows if necessary
  • Locate all devices using Cisco AsyncOS
  • Upgrade the appliance to the latest version of Cisco AsyncOS Software
  • Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance
  • Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance
  • If an appliance has been identified as having the web management interface or the Spam Quarantine port exposed to and reachable from the internet, Cisco strongly recommends following a multi-step process to restore the appliance to a secure configuration, when possible
  • If restoring the appliance is not possible, Cisco recommends contacting its technical assistance center to verify whether the appliance has been compromised. In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actor’s persistence mechanism from the appliance
  • Cisco strongly recommends restricting access to appliances and implementing robust access control mechanisms to ensure that ports are not exposed to unsecured networks
  • Regularly monitor web log traffic for any unexpected traffic to/from appliances.
  • Disable HTTP for the main administrator portal
  • Turn off any network services that are not required
  • Use strong end-user authentication methods like SAML or LDAP
  • Change the default administrator password
  • Using SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

Share

Back To All
Contact Us
Fortified Central Command
Security Incident