CVE-2025-20393

CRITICAL KEV

Cisco AsyncOS < 15.0.5-016 - Unauthenticated Remote Code Execution via Spam Quarantine HTTP Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-20393 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 17, 2025. EIP tracks 5 public exploits from researchers including StasonJatham, cyberleelawat, cyberdudebivash.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting exposure indicators of CVE-2025-20393 in Cisco Secure Email/Secure Malware Analytics systems. It checks for open management and quarantine ports, performs HTTP/S fingerprinting, and probes common spam quarantine paths.

Description

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with&nbsp;root privileges.

Exploits (5)

nomisec SCANNER 22 stars
by StasonJatham · poc
https://github.com/StasonJatham/cisco-sa-sma-attack-N9bf4

This repository contains a Python-based scanner for detecting exposure indicators of CVE-2025-20393 in Cisco Secure Email/Secure Malware Analytics systems. It checks for open management and quarantine ports, performs HTTP/S fingerprinting, and probes common spam quarantine paths.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Cisco Secure Email/Secure Malware Analytics
No auth needed
Prerequisites: Network access to the target system · Python 3 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 2 stars
by cyberleelawat · poc
https://github.com/cyberleelawat/CVE-2025-20393

This repository contains a scanner for detecting exposure of Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances affected by CVE-2025-20393. The scanner checks for the presence of the Spam Quarantine feature and confirms exposure by analyzing HTTP responses.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco Secure Email Gateway (SEG), Cisco Secure Email and Web Manager (SEWM) with Spam Quarantine feature enabled
No auth needed
Prerequisites: Network access to the target appliance · Spam Quarantine feature enabled and exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by cyberdudebivash · poc
https://github.com/cyberdudebivash/CYBERDUDEBIVASH-Cisco-AsyncOS-CVE-2025-20393-Scanner

This repository contains a Python-based scanner for detecting indicators of CVE-2025-20393, an unauthenticated RCE vulnerability in Cisco Secure Email Gateway / SMA. It checks for open TCP/6025 ports, responsive Spam Quarantine interfaces, and local IOCs without performing exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco AsyncOS (Secure Email Gateway / SMA)
No auth needed
Prerequisites: Network access to the target system · Python 3.x with requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by redpack-kr · poc
https://github.com/redpack-kr/Blackash-CVE-2025-20393

This repository contains a Python-based scanner to detect potential exposure to CVE-2025-20393, a critical RCE vulnerability in Cisco AsyncOS. It checks for indicators of vulnerable Cisco Secure Email Gateway or Secure Email and Web Manager appliances by probing common paths and analyzing response content.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cisco AsyncOS (Secure Email Gateway, Secure Email and Web Manager)
No auth needed
Prerequisites: Network access to target systems · Spam Quarantine interface exposed externally
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS
by KingHacker353 · poc
https://github.com/KingHacker353/CVE-2025-20393

The repository lacks actual exploit code and instead provides generic detection methods (e.g., Nuclei scanner commands) and search dorks. The README is marketing-heavy with no technical details about the vulnerability's root cause or exploitation mechanics.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Cisco Secure Email Gateway (SEG), Cisco Secure Email and Web Manager (SEWM) with Spam Quarantine enabled
No auth needed
Prerequisites: Spam Quarantine feature enabled and exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.0648
EPSS Percentile 91.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-12-17
VulnCheck KEV 2025-12-17
ENISA EUVD EUVD-2025-203911
CWE
CWE-20
Status published
Products (1)
cisco/asyncos < 15.0.5-016
Published Dec 17, 2025
KEV Added Dec 17, 2025
Tracked Since Feb 18, 2026