Full Report
This is a threat to security - and to the weekend for some unlucky netadmins Cisco finally delivered a fix for a maximum-severity bug in AsyncOS that has been under attack for at least a month.…
Analysis Summary
# Vulnerability: Maximum-Severity Bug in Cisco AsyncOS Allowing Root Execution
## CVE Details
- CVE ID: CVE-2025-20393
- CVSS Score: Maximum Severity (Score not explicitly provided, but described as "maximum-severity")
- CWE: Not specified in the provided text.
## Affected Systems
- Products: Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances running AsyncOS.
- Versions: Specific vulnerable versions were not detailed in the summary, but all versions prior to the patched release are implied.
- Configurations: Any affected SEG or SEWM appliance.
## Vulnerability Description
This vulnerability allows threat actors to execute arbitrary commands with **root privileges** on the underlying operating system of the affected appliance. Evidence suggests successful exploitation included the implantation of a **persistence mechanism** by threat actors to maintain access.
## Exploitation
- Status: **Exploited in the wild** (Under active attack since at least late November 2025).
- Complexity: Implied to be non-trivial but highly effective, leading to root execution.
- Attack Vector: Not explicitly stated, but likely network-based given the product type.
## Impact
- Confidentiality: High (Implied due to root access)
- Integrity: High (Implied due to root access and implanting persistence mechanisms)
- Availability: High (Implied due to the ability to execute arbitrary commands)
## Remediation
### Patches
- Cisco has released **software updates** addressing the security issue. Customers are strongly recommended to upgrade to an appropriate fixed software release as outlined in the vendor's advisory. These updates also include routines to **remove previously installed persistence mechanisms**.
### Workarounds
- Customers needing support or assistance should contact the **Cisco Technical Assistance Center (TAC)**. No specific temporary network-level mitigations were listed in the source text beyond applying the patch.
## Detection
- Detection methods should focus on identifying signs of unauthorized command execution or unexpected files/processes indicative of a persistence mechanism on the appliance, especially for devices potentially compromised prior to patching (since late November 2025).
## References
- Vendor Advisory: hXXps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
- Analysis/Attribution: hXXps://blog.talosintelligence.com/uat-9686/
- Support Contact: hXXps://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html