Threat Level Description

IthacaLabs has maintained the Threat Level (High) adding a new observation:

An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

Description

We have observed a new critical zero-day vulnerability in Cisco’s AsyncOS software that is actively exploited in the wild.

The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands and gain root-level access on affected appliances. The issue has been leveraged by an advanced persistent threat (APT) actor in targeted attacks against Cisco email security infrastructure.

The critical vulnerability, CVE-2025-20393, impacts Cisco AsyncOS software used in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. It enables unauthenticated attackers to execute arbitrary operating system commands with elevated privileges when the Spam Quarantine feature is enabled and exposed to the internet. Exploitation activity has been observed in ongoing attacks where threat actors establish persistence and maintain long-term access to compromised systems.

Our Advisory and Managed Services, including our Security Operations and Technology Resilience lines, can help safeguard your organization against such threats.

Through proactive monitoring, threat detection, and incident response, our services are designed to keep your systems secure, resilient, and prepared for evolving cyber risks. We advise all organizations to remain vigilant and regularly review their cybersecurity postures.

Affected Products:

• Cisco Secure Email Gateway appliances running AsyncOS with the Spam Quarantine feature enabled
• Cisco Secure Email and Web Manager appliances running AsyncOS with the Spam Quarantine feature enabled

Recommendation(s):

It is highly recommended to apply all security patches and updates provided by Cisco immediately once available to mitigate the risks posed by this vulnerability. Until a permanent fix is released, organizations should consider implementing the following mitigation measures:

• Disable or restrict external access to the Spam Quarantine feature where possible
• Ensure affected appliances are not directly exposed to the internet and are protected by network segmentation and firewall controls
• Review system configurations to confirm that only required services are enabled
• Monitor system, application, and network logs for unusual command execution or persistence mechanisms
• Conduct threat hunting activities to identify potential indicators of compromise

You should understand the importance of applying security updates with urgency, regardless of organizational size. Implementing an effective patch management strategy, enabling comprehensive event logging, and actively monitoring security events are critical to protecting business-critical assets.

A comprehensive risk management approach should include regular penetration testing, at least annually and after significant system changes, to ensure continued compliance with security best practices and industry regulations.

Threat Level Description:

Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

References:

• Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances
• CVE-2025-20393 Detail
• Known Exploited Vulnerabilities Catalog