BACK TO NEWS
Breaking News

Cisco Patches Critical AsyncOS Zero-Day Exploited Since November 2025

2 min readSource: BleepingComputer

Cisco releases urgent fix for CVE-2025-20419, a maximum-severity AsyncOS zero-day actively exploited in Secure Email Gateway attacks since November.

Cisco Addresses Actively Exploited AsyncOS Zero-Day in Secure Email Gateway

Cisco has released a critical security patch for CVE-2025-20419, a maximum-severity zero-day vulnerability in AsyncOS, the operating system powering its Secure Email Gateway (SEG) appliances. The flaw has been actively exploited in attacks since November 2025, according to Cisco’s security advisory.

Technical Details of CVE-2025-20419

The vulnerability, rated 10/10 on the CVSS scale, stems from improper input validation in the AsyncOS web interface. Attackers can exploit it by sending a crafted HTTP request to a vulnerable SEG appliance, potentially gaining unauthenticated remote code execution (RCE) with root privileges. No user interaction is required for successful exploitation.

Cisco has not disclosed specific details about the attack vectors or threat actors behind the exploitation, citing ongoing investigations. However, the company confirmed that multiple customers reported incidents involving unauthorized access to SEG appliances.

Impact and Affected Systems

The zero-day affects Cisco Secure Email Gateway appliances running AsyncOS versions:

  • 14.2 and earlier (all releases)
  • 15.0 (prior to 15.0.1-053)
  • 15.5 (prior to 15.5.1-022)

Organizations using these versions are at high risk of compromise, particularly if their SEG appliances are exposed to the internet. Cisco has observed attackers leveraging the flaw to deploy malware, exfiltrate sensitive data, and establish persistence within targeted networks.

Recommendations for Security Teams

Cisco urges administrators to immediately upgrade to the following patched AsyncOS versions:

  • 14.2.1-053 (or later)
  • 15.0.1-053 (or later)
  • 15.5.1-022 (or later)

Additional mitigation steps include:

  • Restricting access to the SEG web interface via firewall rules or VPN-only access.
  • Monitoring network traffic for unusual HTTP requests targeting SEG appliances.
  • Reviewing logs for signs of unauthorized access or command execution.

Cisco has also released Snort rules (SIDs 300050-300053) to help detect exploitation attempts. Security teams are advised to integrate these rules into their intrusion detection/prevention systems (IDS/IPS).

For further details, refer to Cisco’s official security advisory.

Share

TwitterLinkedIn