CISCO-SA-SMA-ATTACK-N9BF4

Vulnerability from csaf_cisco - Published: 2025-12-17 16:00 - Updated: 2026-01-15 16:01
Summary
Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager

Notes

Summary
On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances. Cisco has remediated the vulnerability that was exploited by the threat actors as part of the cyberattack campaign. For more information about this vulnerability, see the Details ["#details"] section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Cisco strongly recommends that customers follow the guidance provided in the Recommendations ["#Recommendations"]section of this advisory to assess exposure and mitigate risks. Cisco Talos wrote about these attacks in the blog post UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager ["https://blog.talosintelligence.com/uat-9686/"].
Affected Products
Cisco has concluded its current investigation of this attack campaign. Cisco will update this advisory as appropriate as more information becomes available, although that is not currently anticipated. This attack campaign targets Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when all the following conditions are met: The appliance is running a vulnerable release of Cisco AsyncOS Software. The appliance is configured with the Spam Quarantine feature. The Spam Quarantine feature is exposed to and reachable from the internet.
Vulnerable Products
The vulnerability exploited by the threat actors affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when the appliance is configured with the Spam Quarantine feature, which is not enabled by default. Deployment guides for these products do not require this feature to be directly exposed to the Internet. For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Network > IP Interfaces > [Select the Interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled. Determine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance To determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Management Appliance > Network > IP Interfaces > [Select the interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that all devices that are part of Cisco Secure Email Cloud are not affected. Cisco is not aware of any exploitation activity against Cisco Secure Web.
Details
Cisco has remediated the vulnerability exploited by the threat actors as part of the cyberattack campaign. Details about this vulnerability are as follows: CVE-2025-20393: Cisco Secure Email Gateway And Cisco Secure Email and Web Manager Remote Command Execution Vulnerability A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCws36549 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws36549"], CSCws52505 ["https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws52505"] CVE ID: CVE-2025-20393 Security Impact Rating (SIR): Critical CVSS Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Indicators of Compromise
As part of the attack campaign described in this advisory, the threat actor implanted a persistent covert channel that was used to remotely access the compromised appliance. Customers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/index.html"] case. To expedite our investigation into the potential compromise, ensure that remote access is enabled on the affected appliances. For more guidance, see this tech note ["https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117873-faq-esa-00.html"]. Cisco strongly recommends following the guidance listed in the Recommendations ["#Recommendations"] section of this advisory.
Workarounds
There are no workarounds identified that directly mitigate the risk concerning this attack campaign, but administrators can view and follow the guidance provided in the Recommendations ["#Recommendations"] section of this advisory.
Fixed Software
Fixed Releases In the following tables, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] as indicated in this section. Cisco Email Security Gateway Cisco AsyncOS Software Release First Fixed Release 14.2 and earlier 15.0.5-016 15.0 15.0.5-016 15.5 15.5.4-012 16.0 16.0.4-016 Secure Email and Web Manager Cisco AsyncOS Software Release First Fixed Release 15.0 and earlier 15.0.2-007 15.5 15.5.4-007 16.0 16.0.4-010 The software can be upgraded over the network by using the System Upgrade options in the web-based management interface of the appliance. To upgrade a device by using the web-based management interface, do the following: Choose System Administration > System Upgrade. Click Upgrade Options. Click Download and Install. Choose a release to upgrade to. In the Upgrade Preparation area, choose the appropriate options. Click Proceed to begin the upgrade. A progress bar displays the status of the upgrade. After the upgrade is complete, the device reboots. To upgrade a device by using the CLI, do the following: Type upgrade. Select DOWNLOADINSTALL. Choose a release to upgrade to. Choose the appropriate options throughout the upgrade process. After the upgrade is complete, the device reboots. Cisco Secure Email Cloud includes Cisco Secure Email Gateway and Cisco Secure Email and Web Manager devices as part of the service solution. Cisco provides regular maintenance of the products included in this solution. Customers can also request a software upgrade by contacting Cisco Secure Email Cloud support. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
Recommendations
Cisco recommends upgrading the affected appliances to a fixed software release. The fix addresses the vulnerability used by threat actors and clears the persistence mechanisms that were identified in this attack campaign and installed on the appliances. If administrators require confirmation to check whether the appliance has been compromised, Cisco recommends contacting TAC. ["https://www.cisco.com/c/en/us/support/index.html"] The Useful Resources ["#ur"] section contains additional information that is relevant to the attack campaign reported in this advisory. General Recommendations For Hardening Prevent access from the unsecured networks, such as the Internet, to the appliance. If internet access to the appliance is required, restrict appliance access to only known, trusted hosts on ports/protocols that are included in the user guides. Protect Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances behind a filtering device such as a firewall, and filter traffic to/from the appliances while only allowing known, trusted hosts to send traffic to the appliances. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Secure Email Gateway ["https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0-3/user_guide/b_ESA_Admin_Guide_16-0-3/b_ESA_Admin_Guide_12_1_chapter_010.html#con_1287954"] and Cisco Secure Email and Web Manager ["https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_01.html#con_1257754"]. For Cisco Secure Email Gateway, separate mail and management functionality onto separate network interfaces. This reduces the chance of unauthorized users accessing the internal Management Network. For more information, see the device user guides. Regularly monitor web log traffic for any unexpected traffic to/from appliances. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data. Disable HTTP for the main administrator portal. Disable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager user guides. Upgrade the appliance to the latest version of Cisco AsyncOS Software. Use a strong form of end-user authentication to the appliances, such as SAML or Lightweight Directory Access Protocol (LDAP). For more secure methods of authentication, see Authentication Options for End Users Accessing Spam Management Features ["https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_0101.html?bookSearch=true#con_1623537"]. Change the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators. Use SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate. Useful Resources The following resources can help restore an affected appliance to a secure state. Some of the documents are related to a specific product, but the procedures are mostly interchangeable. If customers have specific questions about a procedure, contact TAC. ["https://www.cisco.com/c/en/us/support/index.html"] To download replacement Virtual Appliances, visit the relevant Cisco Software Download page: Cisco Secure Email Gateway ["https://software.cisco.com/download/home/284900944/type/282975113/release/16.0.1?i=!pp"] Cisco Secure Email and Web Manager ["https://software.cisco.com/download/home/286283259/type/286283388/release/16.0.2?i=!pp"] For information about exporting reporting data from an appliance, see Working with Reports. ["https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_010.html"] For information about how to purge messages in the quarantine, see Spam Quarantine. ["https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_0101.html"] For additional information, see Centralizing Policy, Virus, and Outbreak Quarantines. ["https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_0101011.html#con_1158787"]
Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements
In December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.
Source
This vulnerability was found during the resolution of a Cisco Technical Assistance Center (TAC) support case.
Legal Disclaimer
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid. Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers. LEGAL DISCLAIMER DETAILS CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "summary": "This vulnerability was found during the resolution of a Cisco Technical Assistance Center (TAC) support case."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. The ongoing investigation has revealed evidence of a persistence mechanism implanted by the threat actors to maintain a degree of control over compromised appliances.\r\n\r\nCisco has remediated the vulnerability that was exploited by the threat actors as part of the cyberattack campaign. For more information about this vulnerability, see the Details [\"#details\"] section of this advisory.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nCisco strongly recommends that customers follow the guidance provided in the Recommendations  [\"#Recommendations\"]section of this advisory to assess exposure and mitigate risks.\r\n\r\nCisco Talos wrote about these attacks in the blog post UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager [\"https://blog.talosintelligence.com/uat-9686/\"].\r\n\r\n",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "Cisco has concluded its current investigation of this attack campaign. Cisco will update this advisory as appropriate as more information becomes available, although that is not currently anticipated.\r\n\r\nThis attack campaign targets Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when all the following conditions are met:\r\n\r\nThe appliance is running a vulnerable release of Cisco AsyncOS Software.\r\nThe appliance is configured with the Spam Quarantine feature.\r\nThe Spam Quarantine feature is exposed to and reachable from the internet.",
        "title": "Affected Products"
      },
      {
        "category": "general",
        "text": "The vulnerability exploited by the threat actors affects Cisco Secure Email Gateway, both physical and virtual, and Cisco Secure Email and Web Manager appliances, both physical and virtual, when the appliance is configured with the Spam Quarantine feature, which is not enabled by default. Deployment guides for these products do not require this feature to be directly exposed to the Internet.\r\n\r\nFor information about which Cisco software releases are vulnerable, see the Fixed Software [\"#fs\"] section of this advisory.\r\n\r\nDetermine Whether Spam Quarantine Is Enabled on a Cisco Secure Email Gateway Appliance\r\n\r\nTo determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Network \u003e IP Interfaces \u003e [Select the Interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.\r\n\r\nDetermine Whether Spam Quarantine Is Enabled on a Cisco Secure Email and Web Manager Appliance\r\n\r\nTo determine whether the Spam Quarantine feature is configured and enabled on an appliance, connect to the web management interface and navigate to the following menu: Management Appliance \u003e Network \u003e IP Interfaces \u003e [Select the interface on which Spam Quarantine is configured]. If the checkbox next to Spam Quarantine is checked, the feature is enabled.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that all devices that are part of Cisco Secure Email Cloud are not affected.\r\n\r\nCisco is not aware of any exploitation activity against Cisco Secure Web.",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Cisco has remediated the vulnerability exploited by the threat actors as part of the cyberattack campaign. Details about this vulnerability are as follows:\r\n\r\nCVE-2025-20393: Cisco Secure Email Gateway And Cisco Secure Email and Web Manager Remote Command Execution Vulnerability\r\n\r\nA vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.\r\n\r\nThis vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nBug ID(s): CSCws36549 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws36549\"], CSCws52505 [\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws52505\"]\r\nCVE ID: CVE-2025-20393\r\nSecurity Impact Rating (SIR): Critical\r\nCVSS Base Score: 10.0\r\nCVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "As part of the attack campaign described in this advisory, the threat actor implanted a persistent covert channel that was used to remotely access the compromised appliance.\r\n\r\nCustomers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/index.html\"] case. To expedite our investigation into the potential compromise, ensure that remote access is enabled on the affected appliances. For more guidance, see this tech note [\"https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117873-faq-esa-00.html\"].\r\n\r\nCisco strongly recommends following the guidance listed in the Recommendations [\"#Recommendations\"] section of this advisory.",
        "title": "Indicators of Compromise"
      },
      {
        "category": "general",
        "text": "There are no workarounds identified that directly mitigate the risk concerning this attack campaign, but administrators can view and follow the guidance provided in the Recommendations [\"#Recommendations\"] section of this advisory.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "Fixed Releases\r\nIn the following tables, the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability that is described in this advisory and the first release that includes the fix for this vulnerability. Customers are advised to upgrade to an appropriate fixed software release [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] as indicated in this section.\r\n\r\nCisco Email Security Gateway\r\n        Cisco AsyncOS Software Release  First Fixed Release          14.2 and earlier  15.0.5-016      15.0  15.0.5-016      15.5  15.5.4-012      16.0  16.0.4-016\r\nSecure Email and Web Manager\r\n        Cisco AsyncOS Software Release  First Fixed Release          15.0 and earlier  15.0.2-007      15.5  15.5.4-007      16.0  16.0.4-010\r\nThe software can be upgraded over the network by using the System Upgrade options in the web-based management interface of the appliance.\r\n\r\nTo upgrade a device by using the web-based management interface, do the following:\r\n\r\nChoose System Administration \u003e System Upgrade.\r\nClick Upgrade Options.\r\nClick Download and Install.\r\nChoose a release to upgrade to.\r\nIn the Upgrade Preparation area, choose the appropriate options.\r\nClick Proceed to begin the upgrade. A progress bar displays the status of the upgrade.\r\n\r\nAfter the upgrade is complete, the device reboots.\r\n\r\nTo upgrade a device by using the CLI, do the following:\r\n\r\nType upgrade.\r\nSelect DOWNLOADINSTALL.\r\nChoose a release to upgrade to.\r\nChoose the appropriate options throughout the upgrade process.\r\n\r\nAfter the upgrade is complete, the device reboots.\r\n\r\nCisco Secure Email Cloud includes Cisco Secure Email Gateway and Cisco Secure Email and Web Manager devices as part of the service solution. Cisco provides regular maintenance of the products included in this solution. Customers can also request a software upgrade by contacting Cisco Secure Email Cloud support.\r\n\r\nThe Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "Cisco recommends upgrading the affected appliances to a fixed software release. The fix addresses the vulnerability used by threat actors and clears the persistence mechanisms that were identified in this attack campaign and installed on the appliances.\r\n\r\nIf administrators require confirmation to check whether the appliance has been compromised, Cisco recommends contacting TAC. [\"https://www.cisco.com/c/en/us/support/index.html\"]\r\n\r\nThe Useful Resources [\"#ur\"] section contains additional information that is relevant to the attack campaign reported in this advisory.\r\n\r\nGeneral Recommendations For Hardening\r\n\r\nPrevent access from the unsecured networks, such as the Internet, to the appliance. If internet access to the appliance is required, restrict appliance access to only known, trusted hosts on ports/protocols that are included in the user guides.\r\nProtect Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances behind a filtering device such as a firewall, and filter traffic to/from the appliances while only allowing known, trusted hosts to send traffic to the appliances. Using a two-layer firewall can provide flexibility in network planning so that end users do not connect directly to the outer DMZ. See the Deployment sections of the User Guides for Cisco Secure Email Gateway [\"https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0-3/user_guide/b_ESA_Admin_Guide_16-0-3/b_ESA_Admin_Guide_12_1_chapter_010.html#con_1287954\"] and Cisco Secure Email and Web Manager [\"https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_01.html#con_1257754\"].\r\nFor Cisco Secure Email Gateway, separate mail and management functionality onto separate network interfaces. This reduces the chance of unauthorized users accessing the internal Management Network. For more information, see the device user guides.\r\nRegularly monitor web log traffic for any unexpected traffic to/from appliances. Logging should be sent to an external server, if possible, and kept for a long enough duration so that post-event investigations can be performed with sufficient log data.\r\nDisable HTTP for the main administrator portal.\r\nDisable any network services that are not required, including HTTP and FTP. For more information about specific service functionality, see the Cisco Secure Email Gateway and Cisco Secure Email and Web Manager user guides.\r\nUpgrade the appliance to the latest version of Cisco AsyncOS Software.\r\nUse a strong form of end-user authentication to the appliances, such as SAML or Lightweight Directory Access Protocol (LDAP). For more secure methods of authentication, see Authentication Options for End Users Accessing Spam Management Features [\"https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_0101.html?bookSearch=true#con_1623537\"].\r\nChange the default administrator password to a more secure variant. Restrict access to the administrator account by creating user accounts based on necessary access requirements. In addition, create operator accounts for all administrators.\r\nUse SSL/TLS, obtain an SSL certificate from a certificate authority (CA) or create a self-signed certificate.\r\n\r\n\r\n\r\nUseful Resources\r\n\r\nThe following resources can help restore an affected appliance to a secure state. Some of the documents are related to a specific product, but the procedures are mostly interchangeable. If customers have specific questions about a procedure, contact TAC. [\"https://www.cisco.com/c/en/us/support/index.html\"]\r\n\r\nTo download replacement Virtual Appliances, visit the relevant Cisco Software Download page:\r\n\r\nCisco Secure Email Gateway [\"https://software.cisco.com/download/home/284900944/type/282975113/release/16.0.1?i=!pp\"]\r\nCisco Secure Email and Web Manager [\"https://software.cisco.com/download/home/286283259/type/286283388/release/16.0.2?i=!pp\"]\r\n\r\nFor information about exporting reporting data from an appliance, see Working with Reports. [\"https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_010.html\"]\r\n\r\nFor information about how to purge messages in the quarantine, see Spam Quarantine. [\"https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_0101.html\"]\r\n\r\nFor additional information, see Centralizing Policy, Virus, and Outbreak Quarantines. [\"https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_0101011.html#con_1158787\"]",
        "title": "Recommendations"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "In December 2025, the Cisco Product Security Incident Response Team (PSIRT) became aware of potentially malicious activity that targets Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "This vulnerability was found during the resolution of a Cisco Technical Assistance Center (TAC) support case.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\n    LEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@cisco.com",
      "issuing_authority": "Cisco PSIRT",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager",
        "url": "https://blog.talosintelligence.com/uat-9686/"
      },
      {
        "category": "external",
        "summary": "CSCws36549",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws36549"
      },
      {
        "category": "external",
        "summary": "CSCws52505",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/CSCws52505"
      },
      {
        "category": "external",
        "summary": "Cisco Technical Assistance Center (TAC)",
        "url": "https://www.cisco.com/c/en/us/support/index.html"
      },
      {
        "category": "external",
        "summary": "tech note",
        "url": "https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117873-faq-esa-00.html"
      },
      {
        "category": "external",
        "summary": "fixed software release",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "Cisco Secure Email Gateway",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0-3/user_guide/b_ESA_Admin_Guide_16-0-3/b_ESA_Admin_Guide_12_1_chapter_010.html#con_1287954"
      },
      {
        "category": "external",
        "summary": "Cisco Secure Email and Web Manager",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_01.html#con_1257754"
      },
      {
        "category": "external",
        "summary": "Authentication Options for End Users Accessing Spam Management Features",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0-2/user_guide/b_sma_admin_guide_16_0_2/b_NGSMA_Admin_Guide_chapter_0101.html?bookSearch=true#con_1623537"
      },
      {
        "category": "external",
        "summary": "Cisco Secure Email Gateway",
        "url": "https://software.cisco.com/download/home/284900944/type/282975113/release/16.0.1?i=!pp"
      },
      {
        "category": "external",
        "summary": "Cisco Secure Email and Web Manager",
        "url": "https://software.cisco.com/download/home/286283259/type/286283388/release/16.0.2?i=!pp"
      },
      {
        "category": "external",
        "summary": "Working with Reports.",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_010.html"
      },
      {
        "category": "external",
        "summary": "Spam Quarantine.",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/security_management/sma/sma16-0/user_guide/b_sma_admin_guide_16_0/b_NGSMA_Admin_Guide_chapter_0101.html"
      },
      {
        "category": "external",
        "summary": "Centralizing Policy, Virus, and Outbreak Quarantines.",
        "url": "https://www.cisco.com/c/en/us/td/docs/security/esa/esa16-0/user_guide/b_ESA_Admin_Guide_16-0/b_ESA_Admin_Guide_12_1_chapter_0101011.html#con_1158787"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Cisco Technical Assistance Center (TAC)",
        "url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
      },
      {
        "category": "external",
        "summary": "the advisories",
        "url": "https://www.cisco.com/go/psirt"
      }
    ],
    "title": "Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager",
    "tracking": {
      "current_release_date": "2026-01-15T16:01:43+00:00",
      "generator": {
        "date": "2026-01-15T16:01:59+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-sma-attack-N9bf4",
      "initial_release_date": "2025-12-17T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2025-12-17T16:00:23+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        },
        {
          "date": "2026-01-15T16:01:43+00:00",
          "number": "2.0.0",
          "summary": "Aligned with Cisco Business Unit fixes for code releases. Added information about the vulnerability. Added CSCws52505. Updated affected products and added fixed releases."
        }
      ],
      "status": "final",
      "version": "2.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco Secure Email",
            "product": {
              "name": "Cisco Secure Email ",
              "product_id": "CSAFPID-189790"
            }
          },
          {
            "category": "product_family",
            "name": "Cisco Secure Email and Web Manager",
            "product": {
              "name": "Cisco Secure Email and Web Manager ",
              "product_id": "CSAFPID-189791"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-20393",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCws36549"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCws52505"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-189790",
          "CSAFPID-189791"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-189791",
            "CSAFPID-189790"
          ],
          "url": "https://software.cisco.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-189790",
            "CSAFPID-189791"
          ]
        }
      ],
      "title": "Cisco Secure Email Gateway and Cisco Secure Email and Web Manager Remote Command Execution Vulnerability"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.