Build advisory
Cisco ASA 9.16(4)85: known CVEs & fixed releases
6 CVEs affect this build · highest CVSS 6.5 · 1 build behind the latest 9.16(4)89 · updated 2026-06-23
Patch path: upgrade to 9.16(4)89 to clear the exploited issues below.
- MEDIUMCVE-2026-20102
CVE-2026-20102
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20070
CVE-2026-20070
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link to a malicious website that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the VPN web server.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20020
CVE-2026-20020
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. If OSPF authentication is enabled, the attacker must know the secret key to exploit this vulnerability. This vulnerability is due to insufficient input validation when processing OSPF update packets. An attacker could exploit this vulnerability by sending crafted OSPF update packets. A successful exploit could allow the attacker to create a buffer overflow, causing the affected device to reload, resulting in a DoS condition.
- CVSS
- 5.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20021
CVE-2026-20021
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
- CVSS
- 4.3
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20022
CVE-2026-20022
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the command debug ip ospf canon. This vulnerability is due to insufficient input validation when processing OSPF LSU packets. An attacker could exploit this vulnerability by sending crafted unauthenticated OSPF packets. A successful exploit could allow the attacker to write to memory outside of the packet data, causing the device to reload, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20023
CVE-2026-20023
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to corrupt memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to memory corruption when parsing OSPF protocol packets. An attacker could exploit this vulnerability by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to cause memory corruption causing the affected device to reboot, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
Stop checking versions by hand
Is your whole fleet exposed, not just this Cisco ASA?
VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.
Free to start · no credit card
Other Cisco ASA versions
- 9.18(1) 56 CVEs · 6 KEV
- 9.18(2)5 55 CVEs · 6 KEV
- 9.18(2) 55 CVEs · 6 KEV
- 9.18(1)3 55 CVEs · 6 KEV
- 9.19(1) 54 CVEs · 6 KEV
- 9.18(2)7 54 CVEs · 6 KEV
- 9.18(2)8 53 CVEs · 6 KEV
- 9.17(1) 53 CVEs · 6 KEV
- 9.16(2)7 53 CVEs · 6 KEV
- 9.16(2)3 53 CVEs · 6 KEV
- 9.16(2)11 53 CVEs · 6 KEV
- 9.16(2) 53 CVEs · 6 KEV
- 9.16(1)28 53 CVEs · 6 KEV
- 9.16(1) 53 CVEs · 6 KEV