Bright Nexus

Published on January 16, 2026

Cisco Releases Patch for Zero-Day Remote Code Execution in Secure Email Gateways Exploited by China-Linked Group

Severity: Critical

Detail

Cisco released security updates Thursday to address a maximum-severity bug in AsyncOS Software for Secure Email Gateway and Secure Email and Web Manager, following last month’s disclosure that the flaw was abused as a zero-day by China-linked threat group UAT-9686.

CVE Number Description CVSS Score (Severity)
CVE-2025-20393A remote code execution issue stemming from improper HTTP request validation in the Spam Quarantine component may enable attackers to gain root-level access and execute arbitrary commands on impacted systems.10.0 (Critical)

For the exploit to succeed, three prerequisites must be in place:

  • The appliance is running a vulnerable version of Cisco AsyncOS Software
  • The Spam Quarantine feature is enabled
  • The Spam Quarantine feature is accessible from the internet

Affected Version

The vulnerability has now been addressed in the following versions, in addition to removing the persistence mechanisms that were identified in this attack campaign and installed on the appliances – 

Cisco Email Security Gateway

  • Cisco AsyncOS Software Release 14.2 and earlier (Fixed in 15.0.5-016)
  • Cisco AsyncOS Software Release 15.0 (Fixed in 15.0.5-016)
  • Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-012)
  • Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-016)

Secure Email and Web Manager

  • Cisco AsyncOS Software Release 15.0 and earlier (Fixed in 15.0.2-007)
  • Cisco AsyncOS Software Release 15.5 (Fixed in 15.5.4-007)
  • Cisco AsyncOS Software Release 16.0 (Fixed in 16.0.4-010)

Recommendation

In addition, Cisco recommends that customers implement security best practices: block access from unsecured networks, protect appliances with a firewall, review web log traffic for anomalies, disable HTTP on the primary admin interface, shut down nonessential network services, require robust authentication (e.g., SAML or LDAP), and update the default admin password to a more secure option.

Source

https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4