After a serious bug in AsyncOS has been exploited for weeks, Cisco is releasing an update.
After weeks of active exploitation, Cisco has finally released a patch for a highly critical vulnerability in AsyncOS. The bug, CVE-2025-20393, was first disclosed on December 17, 2025 and has a CVSS score of 10.0. This means it poses an extremely critical risk.
What was the vulnerability?
The vulnerability affected Cisco’s Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) devices running on AsyncOS. In a security advisory, Cisco shares that malicious actors can execute system commands on the affected device due to a flaw in the processing of HTTP requests in the Spam Quarantine function.
Patch and recommendations
Cisco has now released software updates that fix the vulnerability and remove any files installed during the attacks. The company urges customers to install these updates as soon as possible according to the shared guidelines.
There are no general solutions. The only effective measure is to apply the patched AsyncOS versions. If a device has already been compromised, it may be a good idea to completely restore the system with Cisco support to safely remove backdoors.