Skip to main content
CloudKey
English Français
Request a demo

6 actively exploited

Cisco ASA 9.14(4)6: known CVEs & fixed releases

37 CVEs affect this build · 6 in CISA KEV (actively exploited) · highest CVSS 9.9 · 10 builds behind the latest 9.14(4)28 · updated 2026-06-23

Patch path: upgrade to 9.14(4)28 to clear the exploited issues below.

  • KEV · exploited HIGH
    CVE-2025-20362

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.

    CVSS
    8.6
    EPSS
    86%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.18(4)67, 9.20(4)10, 9.22(2)14, 9.23(1)19 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited HIGH
    CVE-2024-20353

    Cisco ASA and FTD Denial of Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition.

    CVSS
    8.6
    EPSS
    63%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited CRITICAL
    CVE-2025-20333

    Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

    CVSS
    9.9
    EPSS
    40%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.17(1)45, 9.18(4)47, 9.19(1)37, 9.20(3)7, 9.22(1)3 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited CRITICAL
    CVE-2023-20269

    Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability

    Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or establish a clientless SSL VPN session with an unauthorized user.

    CVSS
    9.1
    EPSS
    22%
    KEV added
    2023-09-13
    Published
    2023-09-06
    NVD ↗Cisco ↗CISA ↗
  • KEV · exploited MEDIUM
    CVE-2024-20359

    Cisco ASA and FTD Privilege Escalation Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

    CVSS
    6
    EPSS
    17%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited MEDIUM
    CVE-2024-20481

    Cisco ASA and FTD Denial-of-Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

    CVSS
    5.8
    EPSS
    16%
    KEV added
    2024-10-24
    Published
    2024-10-23
    NVD ↗Cisco ↗CISA ↗
  • CRITICAL
    CVE-2025-20363

    CVE-2025-20363

    A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

    CVSS
    9
    EPSS
    8%
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)84, 9.18(4)57, 9.19(1)42, 9.20(3)16, 9.22(2), 9.23(1)3 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20358

    CVE-2024-20358

    A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

    CVSS
    6.7
    EPSS
    1%
    Published
    2024-04-24
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20086

    CVE-2023-20086

    A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20331

    CVE-2024-20331

    A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating. This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions.

    CVSS
    5.9
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20095

    CVE-2023-20095

    A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of HTTPS requests. An attacker could exploit this vulnerability by sending crafted HTTPS requests to an affected system. A successful exploit could allow the attacker to cause resource exhaustion, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20268

    CVE-2024-20268

    A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an unexpected reload of the device. This vulnerability is due to insufficient input validation of SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device using IPv4 or IPv6. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects all versions of SNMP (versions 1, 2c, and 3) and requires a valid SNMP community string or valid SNMPv3 user credentials.

    CVSS
    7.7
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20256

    CVE-2023-20256

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20493

    CVE-2024-20493

    A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition. This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.

    CVSS
    5.3
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20402

    CVE-2024-20402

    A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20495

    CVE-2024-20495

    A vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of client key data after the TLS session is established. An attacker could exploit this vulnerability by sending a crafted key value to an affected system over the secure TLS session. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20245

    CVE-2023-20245

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2025-20182

    CVE-2025-20182

    A vulnerability in the Internet Key Exchange version 2 (IKEv2) protocol processing of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation when processing IKEv2 messages. An attacker could exploit this vulnerability by sending crafted IKEv2 traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition on the affected device.

    CVSS
    8.6
    EPSS
    0%
    Published
    2025-05-07
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20299

    CVE-2024-20299

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20297

    CVE-2024-20297

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20408

    CVE-2024-20408

    A vulnerability in the Dynamic Access Policies (DAP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly. To exploit this vulnerability, an attacker would need valid remote access VPN user credentials on the affected device. This vulnerability is due to improper validation of data in HTTPS POST requests. An attacker could exploit this vulnerability by sending a crafted HTTPS POST request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20341

    CVE-2024-20341

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20275

    CVE-2023-20275

    A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. This vulnerability is due to improper validation of the packet's inner source IP address after decryption. An attacker could exploit this vulnerability by sending crafted packets through the tunnel. A successful exploit could allow the attacker to send a packet impersonating another VPN user's IP address. It is not possible for the attacker to receive return packets.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-12-12
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20382

    CVE-2024-20382

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20039

    CVE-2026-20039

    A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)84, 9.18(4)57, 9.20(3)16, 9.22(2)4, 9.23(1)3 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20101

    CVE-2026-20101

    A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20103

    CVE-2026-20103

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition to new Remote Access SSL VPN connections. This does not affect the management interface, though it may become temporarily unresponsive. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device web interface to stop responding, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20016

    CVE-2026-20016

    A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

    CVSS
    6.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20355

    CVE-2024-20355

    A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to successfully authenticate using their designated connection profile (tunnel group), intercepting the SAML SSO token that is sent back from the Cisco ASA device, and then submitting the same SAML SSO token to a different tunnel group for authentication. A successful exploit could allow the attacker to establish a remote access VPN session using a connection profile that they are not authorized to use and connect to secured networks behind the affected device that they are not authorized to access. For successful exploitation, the attacker must have valid remote access VPN user credentials.

    CVSS
    5
    EPSS
    0%
    Published
    2024-05-22
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20106

    CVE-2026-20106

    A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functionality, of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition requiring a manual reboot. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.

    CVSS
    5.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20105

    CVE-2026-20105

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to exhaust device memory resulting in a denial of service (DoS) condition.This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20247

    CVE-2023-20247

    A vulnerability in the remote access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to bypass a configured multiple certificate authentication policy and connect using only a valid username and password. This vulnerability is due to improper error handling during remote access VPN authentication. An attacker could exploit this vulnerability by sending crafted requests during remote access VPN session establishment. A successful exploit could allow the attacker to bypass the configured multiple certificate authentication policy while retaining the privileges and permissions associated with the original connection profile.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20014

    CVE-2026-20014

    A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)9, 9.23(1)13 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20069

    CVE-2026-20069

    A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.

    CVSS
    4.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20485

    CVE-2024-20485

    A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a specific file when it is read from system flash memory. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

    CVSS
    6.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20025

    CVE-2026-20025

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to insufficient input validation when processing OSPF link-state update (LSU) packets. An attacker could exploit this vulnerability by sending crafted OSPF LSU packets. A successful exploit could allow the attacker to corrupt the heap, causing the device to reload, resulting in a DoS condition.

    CVSS
    6.8
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20008

    CVE-2026-20008

    A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials.

    CVSS
    6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗

Stop checking versions by hand

Is your whole fleet exposed, not just this Cisco ASA?

VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.

Start free How VulnMonitor works

Free to start · no credit card

Other Cisco ASA versions