Better late than never. Cisco this week patched a ‘critical’ zero-day flaw in the company’s email security and management gateways that has hung over customers’ heads since December.
Tracked as CVE-2025-20393, the vulnerability affects Cisco’s AsyncOS Software running on the physical or virtual Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) products.
The issue is serious, allowing an attacker to take over an appliance with root privileges when the Spam Quarantine feature is turned on and exposed to the internet. That earned it a relatively rare CVSS maximum severity score of 10, a ‘critical’ rating.
Cisco said in its advisory: “This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.”
Unfortunately, the vulnerability, which Cisco said it learned of on December 10 while resolving a customer support case, was already being exploited in the wild. This prompted the company to issue an advisory – but no patch addressing the flaw – a week later, on December 17.
According to an analysis by Cisco’s Talos threat intelligence division, issued on the same day, exploits had been detected going back to “at least” late November, which meant the issue was already weeks old by the time customers heard about it, with no temporary workarounds possible.
“Talos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as ‘AquaShell’ accompanied by additional tooling meant for reverse tunneling and purging logs,” Cisco Talos said.
This week, more than a month after the first public warning, and seven weeks after the first exploits were detected, Cisco issued an AsyncOS patch fixing the vulnerability.
Does the delay matter?
The exploit only affects a subset of customers running a Secure Email Gateway or Secure Email and Web Manager with the Spam Quarantine service exposed on a public port.
According to Cisco, this feature is not enabled by default, and, it said, “deployment guides for these products do not require this feature to be directly exposed to the internet.” This makes it sound as if customers enabling the feature would be the exception.
While that’s probably true — exposing a service like this through a public port goes against best practice — one use case referenced in Cisco’s User Guide would be to allow remote users to check quarantined spam for themselves. The number of organizations using these products that have enabled it for this reason is, of course, impossible to say.
To reprise, Cisco said that vulnerable customers are those running Cisco AsyncOS Software with both Spam Quarantine turned on and exposed to and reachable from the internet. Given that no workarounds are possible, this implies that simply turning off access through a public interface (by default, port 6025, or 82/83 for the web portal) isn’t sufficient on its own.
However, even if it were, this ignores the possibility that attackers might have already exploited the vulnerability and gained persistence in recent weeks, before the port was closed. The best option is always to patch to remove all risk.
Patch advice
Cisco Secure Email Gateway (ESG) customers on v14.2 or earlier should upgrade to v15.0.5-016; v15.0 should upgrade to v15.0.5-016; v15.5 should upgrade to v15.5.4-012; and v16.0 should upgrade to v16.0.4-016.
Secure Email and Web Manager (SEWM) customers on v15.0 or earlier should upgrade to v15.0.2-007; Customers on v15.5 should upgrade to v5.5.4-007; customers on v16.0 should upgrade to v16.0.4-010.
Cisco said that the patch also clears any persistence mechanisms from an attack, but, it said, “Customers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC) case.”
This article originally appeared on NetworkWorld.
