Pickling the Mailbox: A Deep Dive into CVE-2025-20393
This write-up reverse engineers CVE-2025-20393 in Cisco Secure Email Gateway and Secure Email and Web Manager, showing how an unauthenticated attacker can reach remote code execution through the End User Quarantine service on port 83. The root cause is a single-byte length overflow in the EUQ RPC protocol: AsyncOS 15.5.3 uses Python 2.6, where struct.pack('>B', 256) silently truncates to 0x00 instead of raising an error, allowing crafted source or destination lengths to desynchronize message parsing. The malformed RPC message can then steer execution into unsafe Python pickle deserialization, turning the parser confusion into code execution with a single HTTP request. The analysis is valuable because Cisco’s advisory only cited improper input validation, while this post reconstructs the exact exploit chain, affected component (CommandMessage.py / EUQ RPC), and why the legacy Python runtime made the bug exploitable.