When Security Infrastructure Is Breached: How to Respond to the Cisco Email Gateway Flaw

Rob King, Director of Applied Research at runZero addresses urgent questions about the active exploitation of a vulnerability in Cisco Secure Email Gateway (SEG) appliances. King has a background in security research and network traffic analysis, with experience building and operating on-premises security systems in complex environments.

He explains how to confirm compromise, assess the extent of exposure, avoid response mistakes that increase downtime in complex environments. 

As attackers target Cisco Secure Email Gateway and Secure Email and Web Manager, King outlines what leadership should be asking technical teams. 

Inspecting inbound and outbound email for threats like spam, malware and phishing, the appliances have become vulnerable to malicious attacks.

Because Cisco email security appliances operate from a trusted position inside enterprise networks, King says successful exploitation should be treated as full system compromise. 

This could signal possible persistence mechanisms surviving reboots or attempted cleanup.

Attackers can block email traffic passing through affected systems. It is time to monitor and prevent further damage using the answers outlined.

This interview explains how organizations should think, assume, and act when security infrastructure itself is compromised.

Vishwa: For large enterprises and government agencies, what is the fastest way to confirm whether any Cisco email security appliances are exposed?

Rob: Cisco Talos has confirmed that CVE-2025-20393 is being actively exploited and has published Indicators of Compromise for affected Secure Email Gateway systems. If these indicators of compromise are present on a Secure Email Gateway, it can be assumed that the device has been compromised.

Cisco’s advisory also indicates that if the Spam Quarantine feature is enabled and the Spam Quarantine feature or administrative web interface are exposed to the Internet, a system is vulnerable. 

If a gateway is in this configuration, it should be assumed that it has likely been compromised, regardless of whether Indicators of Compromise are observed.

Vishwa: If a gateway is compromised, what level of system access should organizations realistically assume attackers have?

Rob: Cisco’s advisory recommends completely restoring or rebuilding compromised appliances, which implies that successful exploitation of these vulnerabilities gives attackers complete control over the affected system. 

Vishwa: Can attackers manipulate or observe email traffic without triggering alerts?

Rob: A successful compromise of a Secure Email Gateway would allow an attacker to take complete control of the vulnerable system. Such control could allow an attacker to read, modify, or block the sending and receiving of any email transiting these systems.

Vishwa: What types of data could be exposed through a compromised email gateway?

Rob: Given that these systems are used in the sending and receiving of email, it can be assumed that any such compromise would allow an attacker to read, modify, or block the sending and receiving of email. 

Additionally, as these systems generally sit on the edge between secure and insecure networks, compromising them could allow attackers an entrance point to secure internal networks from outside.

Vishwa: What signals should government and enterprise SOCs prioritize right now? 

Rob: The primary signals SOCs should prioritize are the Indicators of Compromise published by Cisco, which confirm that exploitation has already occurred in the wild. 

This includes specific malware hashes and attacker IP infrastructure. Any Secure Email Gateway showing these indicators should be treated as compromised.

Vishwa: How should organizations reintroduce rebuilt appliances without re-exposing themselves?

Rob: For devices that are known or suspected to have been compromised and are repaired and reintroduced, users should take care to avoid exposing any administrative interfaces, such as web administration interfaces or SSH, to the external world. 

Vishwa: Could you outline response mistakes that tend to increase downtime in large, complex environments?

Rob: Attempting to remediate compromised Secure Email Gateways without fully restoring or rebuilding them risks leaving persistence mechanisms in place, which can prolong compromise and delay recovery.

Vishwa: What questions should leadership be asking technical teams right now?

Rob: Leadership should seek confirmation on whether Secure Email Gateway or Secure Email and Web Manager systems were configured with the Spam Quarantine feature exposed to the Internet, and whether any affected systems have been rebuilt following Cisco’s guidance. 

Technical teams should check logs and potentially affected systems to see if any Indicators of Compromise are present.

Vishwa: What architectural changes should organizations consider after this event?

Rob: Any organization using these devices, even if they are not in a vulnerable configuration, should strongly consider adding additional safety mechanisms around them. 

This includes increased monitoring of network traffic to and from these devices and strict network access controls to limit traffic to only approved kinds, which is generally considered a best practice.

Vishwa: Why are security appliances increasingly attractive targets for state-linked attackers?

Rob: This attack highlights the increasing trend of targeting edge security devices. Secure Email Gateways connect insecure external networks and secure internal environments. This positioning makes them especially sensitive components within enterprise architecture, making them prime targets. 

A successful compromise can provide attackers with access to internal networks and a vantage point to intercept a large amount of network communication from an implicitly trusted location. We have seen a significant rise in attacks over the past few years on firewalls, VPN concentrators, and email gateways for these reasons.