CVE-2025-20393

Warnung

Medienbericht

EPSS 6.14%
Veröffentlicht 17.12.2025 16:47:13
Zuletzt bearbeitet 16.01.2026 14:00:12
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.

This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Asyncos Version < 15.0.5-016

   Cisco ≫ Secure Email Gateway Virtual Appliance C100v Version-
   Cisco ≫ Secure Email Gateway Virtual Appliance C300v Version-
   Cisco ≫ Secure Email Gateway Virtual Appliance C600v Version-
   Cisco ≫ Secure Email Gateway C195 Version-
   Cisco ≫ Secure Email Gateway C395 Version-
   Cisco ≫ Secure Email Gateway C695 Version-

Cisco ≫ Asyncos Version >= 15.5 < 15.5.4-012

Cisco ≫ Asyncos Version >= 16.0 < 16.0.4-016

Cisco ≫ Asyncos Version < 15.0.2-007

Cisco ≫ Asyncos Version >= 15.5 < 15.5.4-007

Cisco ≫ Asyncos Version >= 16.0 < 16.0.4-010

17.12.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Cisco Multiple Products Improper Input Validation Vulnerability

Schwachstelle

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.14%	0.906

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@cisco.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://www.heise.de/news/Jetzt-patchen-Kritische-Cisco-Luecke-seit-Dezember-2025-ausgenutzt-11143359.html

Medienbericht

heise Security

16.01.2026 09:10

https://www.heise.de/news/Angriffe-auf-Zero-Day-Luecken-Cisco-Sonicwall-und-Asus-Live-Update-11119069.html

Medienbericht

heise Security

18.12.2025 08:02

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-20393

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-20393

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-20393

EUVD