Cisco has released patches for a maximum-severity AsyncOS vulnerability (CVE-2025-20393) that was actively exploited by a China-linked APT group since November 2025. The flaw, carrying a CVSS score of 10.0, allowed remote code execution via improper input validation in Secure Email Gateway products.
The patch became available on January 15, 2026, following initial disclosure and mitigations in mid-December 2025.
Vulnerability Overview
CVE-2025-20393 affects Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) running vulnerable AsyncOS versions with Spam Quarantine enabled and exposed to the internet—a non-standard configuration. Attackers could achieve root command injection, leading to full system compromise. Exploitation was confirmed as early as December 10, 2025, by threat actors tracked as UAT-9686.
CISA added this to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to mitigate by early January 2026.
Patch Release Timeline
- November 2025: Exploitation begins in the wild.
- December 17, 2025: Cisco publishes advisory with workarounds; no patch yet.
- January 15, 2026: Patches released across AsyncOS versions.
Fixed Releases
| Product | Vulnerable Versions | First Fixed Releases | Advisory |
|---|---|---|---|
| Cisco Secure Email Gateway | 14.2 & earlier, 15.0, 15.5, 16.0 | 15.0.5-016 15.5.4-012 16.0.4-016 | Cisco Advisory |
| Secure Email & Web Manager | 15.0 & earlier, 15.5, 16.0 | 15.0.2-007 15.5.4-007 16.0.4-010 | Cisco Advisory |
Cloud-delivered products remain unaffected.
Recommendations
- Immediately upgrade to fixed releases via Cisco’s support portal.
- Review logs for IOCs outlined in the official advisory.
- Disable internet-facing Spam Quarantine if not required.
- Monitor CISA KEV for ongoing developments.
For full technical details, refer to Cisco’s security advisory and NVD entry.This patch closes a dangerous window—act swiftly to protect email gateways.
