Cisco Multiple Products Improper Input Validation Vulnerability

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Published Dec 17, 2025 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-12-24 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Improper Input Validation (CWE-20) vulnerability in Cisco Multiple Products. A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●Firewall Administrators

●IT Security

●Running asyncos: v < 15.0.5-016, 15.5 ≤ v < 15.5.4-012, 16.0 ≤ v < 16.0.4-016, v < 15.0.2-007, 15.5 ≤ v < 15.5.4-007, 16.0 ≤ v < 16.0.4-010

Real-world incidentsWhat we've seen

CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-12-17 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-12-24.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

Vendor advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-20393

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2025-20393 ↗ NVD ↗ Vendor Advisory