CVE-2025-20393: A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an…

critical10CVSS 3.1

AVNACLPRNUINSCCHIHAH

KEV

CISA Known Exploited Vulnerabilitydue 2025-12-24

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

Affected

51 ranges· showing 25

Vendor	Product	Version range	Fixed in
cisco	asyncos	< 15.0.5-016	15.0.5-016
cisco	asyncos	< 15.0.2-007	15.0.2-007
cisco	asyncos	>= 15.5 < 15.5.4-012	15.5.4-012
cisco	asyncos	>= 15.5 < 15.5.4-007	15.5.4-007
cisco	asyncos	>= 16.0 < 16.0.4-016	16.0.4-016
cisco	asyncos	>= 16.0 < 16.0.4-010	16.0.4-010
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email	—	—
cisco	cisco_secure_email_and_web_manager	—	—

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vulncheck10.0CRITICAL

cisa10.0CRITICAL