Skip to main content
CloudKey
English Français
Request a demo

6 actively exploited

Cisco ASA 9.16(2)13: known CVEs & fixed releases

52 CVEs affect this build · 6 in CISA KEV (actively exploited) · highest CVSS 9.9 · 29 builds behind the latest 9.16(4)89 · updated 2026-06-23

Patch path: upgrade to 9.16(4)84 or 9.16(4)85 or 9.16(4)89 to clear the exploited issues below.

  • KEV · exploited HIGH
    CVE-2025-20362

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.

    CVSS
    8.6
    EPSS
    86%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.18(4)67, 9.20(4)10, 9.22(2)14, 9.23(1)19 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited HIGH
    CVE-2024-20353

    Cisco ASA and FTD Denial of Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition.

    CVSS
    8.6
    EPSS
    63%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited CRITICAL
    CVE-2025-20333

    Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

    CVSS
    9.9
    EPSS
    40%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.17(1)45, 9.18(4)47, 9.19(1)37, 9.20(3)7, 9.22(1)3 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited CRITICAL
    CVE-2023-20269

    Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability

    Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or establish a clientless SSL VPN session with an unauthorized user.

    CVSS
    9.1
    EPSS
    22%
    KEV added
    2023-09-13
    Published
    2023-09-06
    NVD ↗Cisco ↗CISA ↗
  • KEV · exploited MEDIUM
    CVE-2024-20359

    Cisco ASA and FTD Privilege Escalation Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

    CVSS
    6
    EPSS
    17%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited MEDIUM
    CVE-2024-20481

    Cisco ASA and FTD Denial-of-Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

    CVSS
    5.8
    EPSS
    16%
    KEV added
    2024-10-24
    Published
    2024-10-23
    NVD ↗Cisco ↗CISA ↗
  • CRITICAL
    CVE-2025-20363

    CVE-2025-20363

    A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

    CVSS
    9
    EPSS
    8%
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)84, 9.18(4)57, 9.19(1)42, 9.20(3)16, 9.22(2), 9.23(1)3 NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20006

    CVE-2023-20006

    A vulnerability in the hardware-based SSL/TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 2100 Series Appliances could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to an implementation error within the cryptographic functions for SSL/TLS traffic processing when they are offloaded to the hardware. An attacker could exploit this vulnerability by sending a crafted stream of SSL/TLS traffic to an affected device. A successful exploit could allow the attacker to cause an unexpected error in the hardware-based cryptography engine, which could cause the device to reload.

    CVSS
    7.5
    EPSS
    1%
    Published
    2023-06-28
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20358

    CVE-2024-20358

    A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

    CVSS
    6.7
    EPSS
    1%
    Published
    2024-04-24
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20042

    CVE-2023-20042

    A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an implementation error within the SSL/TLS session handling process that can prevent the release of a session handler under specific conditions. An attacker could exploit this vulnerability by sending crafted SSL/TLS traffic to an affected device, increasing the probability of session handler leaks. A successful exploit could allow the attacker to eventually deplete the available session handler pool, preventing new sessions from being established and causing a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20086

    CVE-2023-20086

    A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20331

    CVE-2024-20331

    A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating. This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions.

    CVSS
    5.9
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20095

    CVE-2023-20095

    A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of HTTPS requests. An attacker could exploit this vulnerability by sending crafted HTTPS requests to an affected system. A successful exploit could allow the attacker to cause resource exhaustion, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20268

    CVE-2024-20268

    A vulnerability in the Simple Network Management Protocol (SNMP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an unexpected reload of the device. This vulnerability is due to insufficient input validation of SNMP packets. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device using IPv4 or IPv6. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability affects all versions of SNMP (versions 1, 2c, and 3) and requires a valid SNMP community string or valid SNMPv3 user credentials.

    CVSS
    7.7
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20256

    CVE-2023-20256

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20493

    CVE-2024-20493

    A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition. This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.

    CVSS
    5.3
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20402

    CVE-2024-20402

    A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20495

    CVE-2024-20495

    A vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of client key data after the TLS session is established. An attacker could exploit this vulnerability by sending a crafted key value to an affected system over the secure TLS session. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20245

    CVE-2023-20245

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2025-20182

    CVE-2025-20182

    A vulnerability in the Internet Key Exchange version 2 (IKEv2) protocol processing of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation when processing IKEv2 messages. An attacker could exploit this vulnerability by sending crafted IKEv2 traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition on the affected device.

    CVSS
    8.6
    EPSS
    0%
    Published
    2025-05-07
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20526

    CVE-2024-20526

    A vulnerability in the SSH server of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition for the SSH server of an affected device. This vulnerability is due to a logic error when an SSH session is established. An attacker could exploit this vulnerability by sending crafted SSH messages to an affected device. A successful exploit could allow the attacker to exhaust available SSH resources on the affected device so that new SSH connections to the device are denied, resulting in a DoS condition. Existing SSH connections to the device would continue to function normally. The device must be rebooted manually to recover. However, user traffic would not be impacted and could be managed using a remote application such as Cisco Adaptive Security Device Manager (ASDM).

    CVSS
    5.3
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20299

    CVE-2024-20299

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20297

    CVE-2024-20297

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20408

    CVE-2024-20408

    A vulnerability in the Dynamic Access Policies (DAP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly. To exploit this vulnerability, an attacker would need valid remote access VPN user credentials on the affected device. This vulnerability is due to improper validation of data in HTTPS POST requests. An attacker could exploit this vulnerability by sending a crafted HTTPS POST request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20384

    CVE-2024-20384

    A vulnerability in the Network Service Group (NSG) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. This vulnerability is due to a logic error that occurs when NSG ACLs are populated on an affected device. An attacker could exploit this vulnerability by establishing a connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20341

    CVE-2024-20341

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20275

    CVE-2023-20275

    A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. This vulnerability is due to improper validation of the packet's inner source IP address after decryption. An attacker could exploit this vulnerability by sending crafted packets through the tunnel. A successful exploit could allow the attacker to send a packet impersonating another VPN user's IP address. It is not possible for the attacker to receive return packets.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-12-12
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20073

    CVE-2026-20073

    A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an affected device. This vulnerability is due to improper error handling when an affected device that is joining a cluster runs out of memory while replicating access control rules. An attacker could exploit this vulnerability by sending traffic that should be blocked through the device. A successful exploit could allow the attacker to bypass access controls and reach devices in protected networks.

    CVSS
    5.8
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20382

    CVE-2024-20382

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20039

    CVE-2026-20039

    A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)84, 9.18(4)57, 9.20(3)16, 9.22(2)4, 9.23(1)3 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20101

    CVE-2026-20101

    A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20103

    CVE-2026-20103

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition to new Remote Access SSL VPN connections. This does not affect the management interface, though it may become temporarily unresponsive. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device web interface to stop responding, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20016

    CVE-2026-20016

    A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

    CVSS
    6.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20355

    CVE-2024-20355

    A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to successfully authenticate using their designated connection profile (tunnel group), intercepting the SAML SSO token that is sent back from the Cisco ASA device, and then submitting the same SAML SSO token to a different tunnel group for authentication. A successful exploit could allow the attacker to establish a remote access VPN session using a connection profile that they are not authorized to use and connect to secured networks behind the affected device that they are not authorized to access. For successful exploitation, the attacker must have valid remote access VPN user credentials.

    CVSS
    5
    EPSS
    0%
    Published
    2024-05-22
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20106

    CVE-2026-20106

    A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functionality, of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition requiring a manual reboot. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.

    CVSS
    5.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20105

    CVE-2026-20105

    A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to exhaust device memory resulting in a denial of service (DoS) condition.This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20013

    CVE-2026-20013

    A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to memory exhaustion caused by not freeing memory during IKEv2 packet processing. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust resources, causing a DoS condition that will eventually require the device to manually reload.

    CVSS
    5.8
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.18(4)66, 9.20(3)20, 9.22(2)4, 9.23(1)3 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20049

    CVE-2026-20049

    A vulnerability in the processing of Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the allocation of an insufficiently sized block of memory. An attacker could exploit this vulnerability by sending crafted GCM-encrypted IPsec traffic to an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. To exploit this vulnerability, the attacker must have valid credentials to establish a VPN connection with the affected device.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.18(4)66, 9.20(3)20, 9.22(2)4, 9.23(1)3 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20247

    CVE-2023-20247

    A vulnerability in the remote access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to bypass a configured multiple certificate authentication policy and connect using only a valid username and password. This vulnerability is due to improper error handling during remote access VPN authentication. An attacker could exploit this vulnerability by sending crafted requests during remote access VPN session establishment. A successful exploit could allow the attacker to bypass the configured multiple certificate authentication policy while retaining the privileges and permissions associated with the original connection profile.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20014

    CVE-2026-20014

    A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)9, 9.23(1)13 NVD ↗Cisco ↗
  • HIGH
    CVE-2026-20100

    CVE-2026-20100

    A vulnerability in the LUA interperter of the Remote Access SSL VPN feature of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation in the LUA interprerter. An attacker could exploit this vulnerability by sending crafted HTTP packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20069

    CVE-2026-20069

    A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.

    CVSS
    4.3
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20102

    CVE-2026-20102

    A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.

    CVSS
    6.1
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)89, 9.18(4)71, 9.20(4)19, 9.22(2)32, 9.23(1)26 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20070

    CVE-2026-20070

    A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device.  This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link to a malicious website that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the VPN web server.

    CVSS
    6.1
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20020

    CVE-2026-20020

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. If OSPF authentication is enabled, the attacker must know the secret key to exploit this vulnerability. This vulnerability is due to insufficient input validation when processing OSPF update packets. An attacker could exploit this vulnerability by sending crafted OSPF update packets. A successful exploit could allow the attacker to create a buffer overflow, causing the affected device to reload, resulting in a DoS condition.

    CVSS
    5.7
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20021

    CVE-2026-20021

    A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.

    CVSS
    4.3
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20485

    CVE-2024-20485

    A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a specific file when it is read from system flash memory. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

    CVSS
    6.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20022

    CVE-2026-20022

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the command debug ip ospf canon. This vulnerability is due to insufficient input validation when processing OSPF LSU packets. An attacker could exploit this vulnerability by sending crafted unauthenticated OSPF packets. A successful exploit could allow the attacker to write to memory outside of the packet data, causing the device to reload, resulting in a DoS condition.

    CVSS
    6.5
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20024

    CVE-2026-20024

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to heap corruption in OSPF when parsing packets. An attacker could exploit this vulnerability by sending crafted packets to the OSPF service. A successful exploit could allow the attacker to corrupt the heap, causing the affected device to reload, resulting in a DoS condition.

    CVSS
    5.7
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20025

    CVE-2026-20025

    A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to insufficient input validation when processing OSPF link-state update (LSU) packets. An attacker could exploit this vulnerability by sending crafted OSPF LSU packets. A successful exploit could allow the attacker to corrupt the heap, causing the device to reload, resulting in a DoS condition.

    CVSS
    6.8
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20023

    CVE-2026-20023

    A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to corrupt memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to memory corruption when parsing OSPF protocol packets. An attacker could exploit this vulnerability by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to cause memory corruption causing the affected device to reboot, resulting in a DoS condition.

    CVSS
    6.5
    EPSS
    0%
    Published
    2026-03-04
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2026-20008

    CVE-2026-20008

    A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials.

    CVSS
    6
    EPSS
    0%
    Published
    2026-03-04
    Fixed in 9.16(4)85, 9.18(4)66, 9.20(4), 9.22(2)4, 9.23(1)7 NVD ↗Cisco ↗

Stop checking versions by hand

Is your whole fleet exposed, not just this Cisco ASA?

VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.

Start free How VulnMonitor works

Free to start · no credit card

Other Cisco ASA versions