CVE-2025-20393CRITICAL 10.0CISA KEVEPSS p97.9%

CVE-2025-20393Cisco Multiple Products Improper Input Validation Vulnerability

Cisco / Multiple Products

Description

Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS29.06% probability of exploitation · percentile 97.9% · 2026-06-18T12:00:27Z
Published2025-12-17
Last modified2026-01-16

CISA KEV entry

Added to KEV: 2025-12-17

Underlying weaknesses· 1

CWE-20

References

  1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryCisco Multiple Products Improper Input Validation Vulnerabilitykev-cve-2025-203930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-20363
CVE
CVE-2025-20334
CVE
CVE-2026-20094
CVE
Cisco Identity Services Engine Injection Vulnerability
CVE
Cisco NX-OS Command Injection Vulnerability
CVE
Cisco Small Business Routers Improper Input Validation Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.