{"id":6593,"date":"2026-01-16T18:53:48","date_gmt":"2026-01-16T18:53:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6593"},"modified":"2026-01-16T18:53:48","modified_gmt":"2026-01-16T18:53:48","slug":"cisco-finally-patches-seven-week-old-zero-day-flaw-in-secure-email-gateway-products","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6593","title":{"rendered":"Cisco finally patches seven-week-old zero-day flaw in Secure Email Gateway products"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Better late than never. Cisco this week patched a \u2018critical\u2019 zero-day flaw in the company\u2019s email security and management gateways that has hung over customers\u2019 heads since December.<\/p>\n

Tracked as CVE-2025-20393<\/a>, the vulnerability affects Cisco\u2019s AsyncOS Software running on the physical or virtual Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) products.<\/p>\n

The issue is serious, allowing an attacker to take over an appliance with root <\/em>privileges when the Spam Quarantine feature is turned on and exposed to the internet. That earned it a relatively rare CVSS maximum severity score of 10, a \u2018critical\u2019 rating.<\/p>\n

Cisco said in its advisory<\/a>: \u201cThis vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.\u201d<\/p>\n

Unfortunately, the vulnerability, which Cisco said it learned of on December 10 while resolving a customer support case, was already being exploited<\/a> in the wild. This prompted the company to issue an advisory \u2013 but no patch addressing the flaw \u2013 a week later, on December 17.<\/p>\n

According to an analysis<\/a> by Cisco\u2019s Talos threat intelligence division, issued on the same day, exploits had been detected going back to \u201cat least\u201d late November, which meant the issue was already weeks old by the time customers heard about it, with no temporary workarounds possible.<\/p>\n

\u201cTalos assesses with moderate confidence that this activity is being conducted by a Chinese-nexus threat actor, which we track as UAT-9686. As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as \u2018AquaShell\u2019 accompanied by additional tooling meant for reverse tunneling and purging logs,\u201d Cisco Talos said.<\/p>\n

This week, more than a month after the first public warning, and seven weeks after the first exploits were detected, Cisco issued an AsyncOS patch fixing the vulnerability.<\/p>\n

Does the delay matter?<\/h2>\n

The exploit only affects a subset of customers running a Secure Email Gateway or Secure Email and Web Manager with the Spam Quarantine service exposed on a public port.<\/p>\n

According to Cisco, this feature is not enabled by default, and, it said, \u201cdeployment guides for these products do not require this feature to be directly exposed to the internet.\u201d This makes it sound as if customers enabling the feature would be the exception.<\/p>\n

While that\u2019s probably true \u2014 exposing a service like this through a public port goes against best practice \u2014 one use case referenced in Cisco\u2019s User Guide<\/a> would be to allow remote users to check quarantined spam for themselves. The number of organizations using these products that have enabled it for this reason is, of course, impossible to say.<\/p>\n

To reprise, Cisco said that vulnerable customers are those running Cisco AsyncOS Software with both Spam Quarantine turned on and<\/em> exposed to and reachable from the internet. Given that no workarounds are possible, this implies that simply turning off access through a public interface (by default, port 6025, or 82\/83 for the web portal) isn\u2019t sufficient on its own.<\/p>\n

However, even if it were, this ignores the possibility that attackers might have already exploited the vulnerability and gained persistence in recent weeks, before<\/em> the port was closed. The best option is always to patch to remove all risk.<\/p>\n

Patch advice<\/h2>\n

Cisco Secure Email Gateway (ESG)<\/strong> customers on v14.2 or earlier should upgrade to v15.0.5-016; v15.0 should upgrade to v15.0.5-016; v15.5 should upgrade to v15.5.4-012; and v16.0 should upgrade to v16.0.4-016.<\/p>\n

Secure Email and Web Manager (SEWM) <\/strong>customers on v15.0 or earlier should upgrade to v15.0.2-007; Customers on v15.5 should upgrade to v5.5.4-007; customers on v16.0 should upgrade to v16.0.4-010.<\/p>\n

Cisco said that the patch also clears any persistence mechanisms from an attack, but, it said, \u201cCustomers who wish to explicitly verify whether an appliance has been compromised can open a Cisco Technical Assistance Center (TAC)<\/a> case.\u201d<\/p>\n

This article originally appeared on NetworkWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Better late than never. Cisco this week patched a \u2018critical\u2019 zero-day flaw in the company\u2019s email security and management gateways that has hung over customers\u2019 heads since December. Tracked as CVE-2025-20393, the vulnerability affects Cisco\u2019s AsyncOS Software running on the physical or virtual Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) products. […]<\/p>\n","protected":false},"author":0,"featured_media":6594,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6593","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6593"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6593"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6593\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6594"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}