CVSS 10.0, Immediate Response Required
Cisco officially confirmed an active cyberattack campaign targeting its email security equipment — specifically enabling remote command execution with OS root privileges on devices meeting certain configuration conditions, representing a critical threat to corporate email security infrastructure. Devices targeted: Cisco Secure Email Gateway and Cisco Secure Email and Web Manager running Cisco AsyncOS Software, where spam quarantine feature is enabled and exposed directly to the internet. The vulnerability: CVE-2025-20393 (CWE-20, input validation failure); CVSS 3.1 score: 10.0 (maximum — remote network-accessible, no authentication or user interaction required, critical impact on confidentiality/integrity/availability). Attack capability: threat actors executed arbitrary commands as root without authentication; persistence mechanisms (backdoors) installed for long-term control confirmed on some compromised devices. Context: spam quarantine is not enabled by default and Cisco''s official deployment guide does not require internet-direct exposure; misconfiguration in some operational environments created the attack entry point. Cisco''s confirmation level: not a theoretical vulnerability — actual customer environment compromises confirmed; Cisco PSIRT and Cisco Talos confirmed actual intrusion evidence and attack persistence mechanisms during customer technical support processes. Immediate required actions: identify all Cisco Secure Email Gateway and Secure Email and Web Manager deployments; check if spam quarantine is enabled and internet-exposed; apply available patches immediately or disable the feature pending patching; audit for indicators of compromise (unusual processes, unauthorized user accounts, unexpected network connections). The broader lesson: "security infrastructure" that is itself compromised becomes the most dangerous attack vector — security appliances require the same (or higher) patching rigor as the systems they protect.
