CVE-2025-20393 — CRITICAL (10.0)

Q: How severe is CVE-2025-20393?

CVE-2025-20393 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-20393?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Asyncos, Cisco Secure Email Gateway Virtual Appliance C100V, Cisco Secure Email Gateway Virtual Appliance C300V, Cisco Secure Email Gateway Virtual Appliance C600V, Cisco Secure Email Gateway C195.

Vulnerability Description

A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execute arbitrary system commands on an affected device with root privileges. This vulnerability is due to insufficient validation of HTTP requests by the Spam Quarantine feature. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cisco	Asyncos	< 15.0.5-016
Cisco	Secure Email Gateway Virtual Appliance C100V	-
Cisco	Secure Email Gateway Virtual Appliance C300V	-
Cisco	Secure Email Gateway Virtual Appliance C600V	-
Cisco	Secure Email Gateway C195	-
Cisco	Secure Email Gateway C395	-
Cisco	Secure Email Gateway C695	-
Cisco	Secure Email And Web Manager Virtual Appliance M100V	-
Cisco	Secure Email And Web Manager Virtual Appliance M300V	-
Cisco	Secure Email And Web Manager Virtual Appliance M600V	-
Cisco	Secure Email And Web Manager M170	-
Cisco	Secure Email And Web Manager M190	-
Cisco	Secure Email And Web Manager M195	-
Cisco	Secure Email And Web Manager M380	-
Cisco	Secure Email And Web Manager M390	-
Cisco	Secure Email And Web Manager M390X	-
Cisco	Secure Email And Web Manager M395	-
Cisco	Secure Email And Web Manager M680	-
Cisco	Secure Email And Web Manager M690	-
Cisco	Secure Email And Web Manager M690X	-

Related Weaknesses (CWE)

CWE-20

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-US Government Resource

FAQ

What is CVE-2025-20393?

CVE-2025-20393 is a vulnerability with a CVSS score of 10.0 (CRITICAL). A vulnerability in the Spam Quarantine feature of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to execut...

How severe is CVE-2025-20393?

CVE-2025-20393 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-20393?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Asyncos, Cisco Secure Email Gateway Virtual Appliance C100V, Cisco Secure Email Gateway Virtual Appliance C300V, Cisco Secure Email Gateway Virtual Appliance C600V, Cisco Secure Email Gateway C195.