Cisco Email Security appliances actively exploited
Take action: If you have Cisco Secure Email Gateway or Cisco Email and Web Manager appliances, this is urgent: Immediately check if the Spam Quarantine feature is enabled and exposed to the public ports - if it is, disable it on all public ports. A patch is available as of the 15th of January, so update the systems immediately. If your appliance may have been compromised, contact Cisco support.
Learn More
Cisco is warning of ongoing cyberattack campaign targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances through an unpatched zero-day vulnerability.
The flaw is tracked as CVE-2025-20393 (CVSS score 10.0), caused by improper input validation that allows attackers to execute arbitrary commands with root privileges on the operating system of affected appliances.
Cisco became aware of this new attack campaign on December 10, 2025, during the resolution of a Technical Assistance Center support case. The investigation has revealed that malicious activity dates back to at least late November 2025.
The vulnerability affects all releases of Cisco AsyncOS Software for both physical and virtual versions of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances, when specific conditions are met:
- the appliance be configured with the Spam Quarantine feature enabled and that this feature is exposed to and reachable from the internet.
- The Spam Quarantine feature is not enabled by default, and Cisco's deployment guides do not require this port to be directly exposed to the internet.
Cisco claims that all devices that are part of Cisco Secure Email Cloud are not affected by this campaign, and the company is not aware of any exploitation activity against Cisco Secure Web appliances. Organizations can check whether the Spam Quarantine feature is enabled by connecting to the web management interface and navigating to the Network IP Interfaces menu to check if the Spam Quarantine checkbox is selected.
At present, Cisco has not released a security patch. Organizations with appliances that have the web management interface or Spam Quarantine port exposed to the internet should follow a the process to restore systems to a secure configuration.
For customers who suspect their appliances may have been compromised, Cisco recommends opening a Technical Assistance Center case to verify the system's security status. In cases of confirmed compromise, rebuilding the appliances is currently the only viable option to eliminate the threat actor's persistence mechanism from the system.
Update - As of 15th of January 2026, Cisco has released patches for this flaw =
Cisco Email Security Gateway
| Cisco AsyncOS Software Release | First Fixed Release |
|---|---|
| 14.2 and earlier | 15.0.5-016 |
| 15.0 | 15.0.5-016 |
| 15.5 | 15.5.4-012 |
| 16.0 | 16.0.4-016 |
Secure Email and Web Manager
| Cisco AsyncOS Software Release | First Fixed Release |
|---|---|
| 15.0 and earlier | 15.0.2-007 |
| 15.5 | 15.5.4-007 |
| 16.0 | 16.0.4-010 |
The software can be upgraded over the network by using the System Upgrade options in the web-based management interface of the appliance.
Cisco recommends upgrading the affected appliances to a fixed software release. If administrators require confirmation to check whether the appliance has been compromised, Cisco recommends contacting TAC.
