How to Fix CVE-2025-20393: Cisco Secure Email Gateway Remote Code Execution

*By Sai Kiran Pandrala*

⚠️ Patch immediately. CISA added this to the Known Exploited Vulnerabilities catalog on December 17, 2025 with a federal remediation deadline of December 24, 2025. If you run these appliances on the public internet, treat this as active.

What is CVE-2025-20393?

The Spam Quarantine feature in Cisco AsyncOS doesn't properly validate HTTP requests coming into its management interface. An unauthenticated attacker who can reach the appliance over the network can send a specially crafted HTTP request and execute arbitrary code on the underlying operating system. No credentials, no user interaction, no foothold needed.

The vulnerability sits at the API layer, which is what makes the CVSS 10.0 rating fair. Network reach plus zero authentication plus code execution is the worst combination you can have on a security appliance.

Am I affected?

Two product families are in scope: Cisco Secure Email Gateway (formerly ESA) and Cisco Secure Email and Web Manager (formerly SMA). The version cutoffs from the vendor advisory:

• Secure Email Gateway running AsyncOS at or below 14.0.0-698
• Secure Email and Web Manager running AsyncOS at or below 13.6.2-023

Check your installed version from the appliance CLI:

version

If your build sits below the patched train listed in the Cisco advisory, you are affected. The Spam Quarantine feature only needs to be enabled for the API path to be reachable, but Cisco's guidance is to patch regardless of whether you've enabled it, because the API surface is built into the base image.

How to fix CVE-2025-20393

1. Open the Cisco advisory at the URL in the references section below. Cisco publishes the exact fixed build per AsyncOS train, and that table is the source of truth.
2. Identify your appliance's current AsyncOS train (e.g. 14.0, 14.2, 15.0) via version in the CLI.
3. Schedule a maintenance window. AsyncOS upgrades on Secure Email require an appliance reboot and several minutes of mail-flow interruption.
4. Apply the upgrade through the appliance GUI: System Administration → System Upgrade → Available Upgrades. Pick the build flagged as the CVE-2025-20393 fix for your train.
5. Reboot when the upgrade prompts you. Verify with version after reboot.
6. For HA pairs and clusters, upgrade the secondary first, fail over, then upgrade the primary. Confirm replication is healthy before the failover.

If you operate an Email and Web Manager managing multiple gateways, patch the Manager itself on its 13.6.2-023+ train using the same upgrade path.

Upgrade the affected Cisco platform

! Verify the running release on the device
show version
show inventory

! Stage the patched image from the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
copy tftp://<fileserver>/<patched-image>.bin flash:

! Set the boot image and reload in a maintenance window
configure terminal
boot system flash:<patched-image>.bin
end
write memory
reload

! After reload, confirm the new image is running
show version | include image

Verify the fix landed

# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2025-20393 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Cisco has not published a workaround for this CVE. The vulnerable code path is in the base AsyncOS API, not a feature you can toggle off. Restrict management interface access to known administrative IPs at the network boundary (firewall ACLs or jump host only) as a partial mitigation. This reduces exposure but does not remediate the flaw if any reachable host is compromised.

How to verify the fix worked

After upgrade and reboot, confirm the running build:

version

The output should show an AsyncOS build at or above the fixed version listed in the Cisco advisory for your train. Cross-check by reviewing System Administration → Configuration File → System Configuration for the build identifier.

If you have a vulnerability scanner like Tenable, Qualys, or Rapid7, re-run its Cisco AsyncOS plugin against the appliance IP, the CVE-2025-20393 finding should clear.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2025-20265: CWE-74 in Cisco Firepower Management Center — CWE-74 in Cisco Firepower Management Center
• How to Fix CVE-2025-20354: Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express , Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express
• How to Fix CVE-2025-20337: Cisco ISE API Remote Code Execution as Root , Cisco ISE API Remote Code Execution as Root
• How to Fix CVE-2025-20124: Insecure Deserialization in Cisco ISE Passive Identity Connector , Insecure Deserialization in Cisco ISE Passive Identity Connector
• How to Fix CVE-2025-20281: Cisco ISE 3.3 Unauthenticated Code Injection , Cisco ISE 3.3 Unauthenticated Code Injection

Is CVE-2025-20393 being actively exploited?

Yes. CISA added it to the Known Exploited Vulnerabilities catalog on December 17, 2025, with a federal-agency deadline of one week (December 24, 2025), that compressed timeline is CISA's signal that active exploitation is happening in the wild.

Does turning off the Spam Quarantine feature mitigate this?

The vendor advisory does not list disabling Spam Quarantine as a mitigation. The vulnerable API endpoint is part of the base AsyncOS image. Patching is the only documented remediation.

Does the fix apply to cloud-hosted Cisco Secure Email?

Cisco-hosted email security services (Cisco Secure Email Cloud Gateway) are patched directly by Cisco. If you operate on-premises or self-managed virtual appliances, the patch is your responsibility.

References

• Official vendor advisory (Cisco PSIRT): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20393
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the official Cisco advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Cisco's PSIRT advisory before applying changes in production.*