CVE-2025-20393

Summary

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.

This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email13.0.0-392affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email13.0.5-007affected
CiscoCisco Secure Email13.5.4-038affected
CiscoCisco Secure Email14.2.1-020affected
CiscoCisco Secure Email14.3.0-032affected
CiscoCisco Secure Email15.0.0-104affected
CiscoCisco Secure Email15.0.1-030affected
CiscoCisco Secure Email15.5.0-048affected
CiscoCisco Secure Email15.5.1-055affected
CiscoCisco Secure Email15.5.2-018affected
CiscoCisco Secure Email16.0.0-050affected
CiscoCisco Secure Email15.0.3-002affected
CiscoCisco Secure Email16.0.0-054affected
CiscoCisco Secure Email15.5.3-022affected
CiscoCisco Secure Email16.0.1-017affected
CiscoCisco Secure Email and Web Manager13.6.2-023affected
CiscoCisco Secure Email and Web Manager13.6.2-078affected
CiscoCisco Secure Email and Web Manager13.0.0-249affected
CiscoCisco Secure Email and Web Manager13.0.0-277affected
CiscoCisco Secure Email and Web Manager13.8.1-052affected
CiscoCisco Secure Email and Web Manager13.8.1-068affected
CiscoCisco Secure Email and Web Manager13.8.1-074affected
CiscoCisco Secure Email and Web Manager14.0.0-404affected
CiscoCisco Secure Email and Web Manager12.8.1-002affected
CiscoCisco Secure Email and Web Manager14.1.0-227affected
CiscoCisco Secure Email and Web Manager13.6.1-201affected
CiscoCisco Secure Email and Web Manager14.2.0-203affected
CiscoCisco Secure Email and Web Manager14.2.0-212affected
CiscoCisco Secure Email and Web Manager12.8.1-021affected
CiscoCisco Secure Email and Web Manager13.8.1-108affected
CiscoCisco Secure Email and Web Manager14.2.0-224affected
CiscoCisco Secure Email and Web Manager14.3.0-120affected
CiscoCisco Secure Email and Web Manager15.0.0-334affected
CiscoCisco Secure Email and Web Manager15.5.1-024affected
CiscoCisco Secure Email and Web Manager15.5.1-029affected
CiscoCisco Secure Email and Web Manager15.5.2-005affected
CiscoCisco Secure Email and Web Manager16.0.0-195affected
CiscoCisco Secure Email and Web Manager15.5.3-017affected
CiscoCisco Secure Email and Web Manager16.0.1-010affected
CiscoCisco Secure Email and Web Manager15.0.1-035affected
CiscoCisco Secure Email and Web Manager16.0.2-088affected

Weaknesses

  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References