A lightweight Python script has been released to help organizations quickly identify systems vulnerable to CVE-2025-20393. This critical zero-day vulnerability affects Cisco Secure Email Gateway and Secure Malware Analytics, which is also known as Cisco Secure Email and Web Manager. The flaw is particularly dangerous because it allows unauthenticated remote attackers to execute arbitrary code by targeting exposed management and quarantine interfaces.
The tool, named Cisco SMA Exposure Check, was developed by GitHub user StasonJatham and focuses on identifying specific indicators of compromise tied to recent attacks. According to official advisories, attackers have been weaponizing a variety of ports to gain administrative access or reach quarantine endpoints. These include TCP ports 82, 83, 443, 8080, 8443, and 9443, as well as specialized quarantine services often found on port 6025.
To provide a comprehensive assessment, the script performs detailed HTTP and HTTPS fingerprinting on these ports. It analyzes server headers, status codes, redirects, and authentication realms while searching for Cisco-specific keywords and version patterns. The tool also checks common URL paths that are frequently targeted during exploitation, such as /quarantine, /spamquarantine, /sma-login, and /login, to see if they are accessible to the public internet.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Beyond simple port scanning, the utility captures raw socket banners and searches for signs of active post-compromise activity. It specifically flags strings associated with known malicious tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. These markers are hallmarks of the unauthorized toolsets observed in the wild following the initial exploitation of Cisco devices, signaling to administrators that a breach may have already occurred.
The script is designed for rapid deployment and ease of use, requiring only the Python 3 standard library with no external dependencies. It can be executed against direct IP addresses or domain names, offering a verbose mode for detailed results and adjustable timeout settings for custom network environments. This allows security teams to scan their infrastructure in seconds to determine if their Cisco appliances are currently at risk or showing signs of tampering.
Source: New Tool Released To Detect Cisco Secure Email Gateway ZeroDay Exploited In The Wild