CVE-2025-20393

EUVD-2025-203911

17.12.2025, 17:15

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.

This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with&nbsp;root privileges.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cisco	CNA	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 89%

Affected Products (NVD)

Vendor	Product	Version
cisco	asyncos	𝑥 < 15.0.5-016
cisco	asyncos	15.5 ≤ 𝑥 < 15.5.4-012
cisco	asyncos	16.0 ≤ 𝑥 < 16.0.4-016
cisco	asyncos	𝑥 < 15.0.2-007
cisco	asyncos	15.5 ≤ 𝑥 < 15.5.4-007
cisco	asyncos	16.0 ≤ 𝑥 < 16.0.4-010

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393