The most serious, rated “high severity,” are three DoS flaws in the AsyncOS software for Cisco ESA. The security holes, tracked as CVE-2016-6356, CVE-2016-1486 and CVE-2016-1481, allow a remote, unauthenticated attacker to cause a DoS condition on affected devices using specially crafted emails and malicious attachments.

CVE-2016-1481 and CVE-2016-6356 affect AsyncOS versions 8.0 and prior, 8.5, 9.0, 9.1, 9.5, 9.6, 9.7 and 10.0. Users have been advised to update their installations to versions 9.1.2-041, 9.7.2-065 or 10.0.0-203. The issue identified as CVE-2016-1486 only impacts versions 9.7 and 10.0.