Skip to main content
CloudKey
English Français
Request a demo

3 actively exploited

Cisco ASA 9.13(1)7: known CVEs & fixed releases

15 CVEs affect this build · 3 in CISA KEV (actively exploited) · highest CVSS 8.6 · 6 builds behind the latest 9.13(1)21 · updated 2026-06-23

Patch path: upgrade to 9.13(1)10 or 9.13(1)21 to clear the exploited issues below.

  • KEV · exploited HIGH
    CVE-2020-3452

    Cisco ASA and FTD Read-Only Path Traversal Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.

    CVSS
    7.5
    EPSS
    100%
    KEV added
    2021-11-03
    Published
    2020-07-22
    Fixed in 9.10(1)42, 9.12(3)12, 9.13(1)10, 9.14(1)10, 9.6(4)42, 9.8(4)20, 9.9(2)74 NVD ↗Cisco ↗CISA ↗packetstormsecurity.com ↗
  • KEV · exploited MEDIUM
    CVE-2020-3580

    Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.

    CVSS
    6.1
    EPSS
    85%
    KEV added
    2021-11-03
    Published
    2020-10-21
    Fixed in 9.12(4)13, 9.13(1)21, 9.14(2)8, 9.15(1)15, 9.8(4)34, 9.9(2)85 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited HIGH
    CVE-2020-3259

    Cisco ASA and FTD Information Disclosure Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

    CVSS
    7.5
    EPSS
    72%
    KEV added
    2024-02-15
    Published
    2020-05-06
    Fixed in 9.10(1)40, 9.12(3)9, 9.13(1)10, 9.8(4)20, 9.9(2)67 NVD ↗Cisco ↗CISA ↗
  • HIGH
    CVE-2020-27124

    CVE-2020-27124

    A vulnerability in the SSL/TLS handler of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition. The vulnerability is due to improper error handling on established SSL/TLS connections. An attacker could exploit this vulnerability by establishing an SSL/TLS connection with the affected device and then sending a malicious SSL/TLS message within that connection. A successful exploit could allow the attacker to cause the device to reload.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-11-18
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20081

    CVE-2023-20081

    A vulnerability in the IPv6 DHCP (DHCPv6) client module of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of DHCPv6 messages. An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: To successfully exploit this vulnerability, the attacker would need to either control the DHCPv6 server or be in a man-in-the-middle position.

    CVSS
    5.9
    EPSS
    1%
    Published
    2023-03-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20039

    CVE-2026-20039

    A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)84, 9.18(4)57, 9.20(3)16, 9.22(2)4, 9.23(1)3 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20101

    CVE-2026-20101

    A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20103

    CVE-2026-20103

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition to new Remote Access SSL VPN connections. This does not affect the management interface, though it may become temporarily unresponsive. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device web interface to stop responding, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20016

    CVE-2026-20016

    A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

    CVSS
    6.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20106

    CVE-2026-20106

    A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functionality, of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition requiring a manual reboot. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.

    CVSS
    5.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20105

    CVE-2026-20105

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to exhaust device memory resulting in a denial of service (DoS) condition.This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20014

    CVE-2026-20014

    A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)9, 9.23(1)13 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20069

    CVE-2026-20069

    A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.

    CVSS
    4.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20025

    CVE-2026-20025

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to insufficient input validation when processing OSPF link-state update (LSU) packets. An attacker could exploit this vulnerability by sending crafted OSPF LSU packets. A successful exploit could allow the attacker to corrupt the heap, causing the device to reload, resulting in a DoS condition.

    CVSS
    6.8
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20008

    CVE-2026-20008

    A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials.

    CVSS
    6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗

Stop checking versions by hand

Is your whole fleet exposed, not just this Cisco ASA?

VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.

Start free How VulnMonitor works

Free to start · no credit card

Other Cisco ASA versions