2 actively exploited
Cisco ASA 9.20(2)22: known CVEs & fixed releases
34 CVEs affect this build · 2 in CISA KEV (actively exploited) · highest CVSS 9.9 · 13 builds behind the latest 9.20(4)19 · updated 2026-06-23
Patch path: upgrade to 9.20(3)16 or 9.20(3)20 or 9.20(3)7 or 9.20(4) or 9.20(4)10 or 9.20(4)19 to clear the exploited issues below.
- KEV · exploited HIGHCVE-2025-20362
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.
- CVSS
- 8.6
- EPSS
- 86%
- KEV added
- 2025-09-25
- Published
- 2025-09-25
- KEV · exploited CRITICALCVE-2025-20333
Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.
- CVSS
- 9.9
- EPSS
- 40%
- KEV added
- 2025-09-25
- Published
- 2025-09-25
- CRITICALCVE-2025-20363
CVE-2025-20363
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.
- CVSS
- 9
- EPSS
- 8%
- Published
- 2025-09-25
- MEDIUMCVE-2024-20358
CVE-2024-20358
A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.
- CVSS
- 6.7
- EPSS
- 1%
- Published
- 2024-04-24
- HIGHCVE-2025-20127
CVE-2025-20127
A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted.
- CVSS
- 7.7
- EPSS
- 1%
- Published
- 2025-08-14
- MEDIUMCVE-2024-20493
CVE-2024-20493
A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition. This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.
- CVSS
- 5.3
- EPSS
- 1%
- Published
- 2024-10-23
- HIGHCVE-2024-20494
CVE-2024-20494
A vulnerability in the TLS cryptography functionality of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper data validation during the TLS 1.3 handshake. An attacker could exploit this vulnerability by sending a crafted TLS 1.3 packet to an affected system through a TLS 1.3-enabled listening socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: This vulnerability can also impact the integrity of a device by causing VPN HostScan communication failures or file transfer failures when Cisco ASA Software is upgraded using Cisco Adaptive Security Device Manager (ASDM).
- CVSS
- 8.6
- EPSS
- 1%
- Published
- 2024-10-23
- MEDIUMCVE-2024-20526
CVE-2024-20526
A vulnerability in the SSH server of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition for the SSH server of an affected device. This vulnerability is due to a logic error when an SSH session is established. An attacker could exploit this vulnerability by sending crafted SSH messages to an affected device. A successful exploit could allow the attacker to exhaust available SSH resources on the affected device so that new SSH connections to the device are denied, resulting in a DoS condition. Existing SSH connections to the device would continue to function normally. The device must be rebooted manually to recover. However, user traffic would not be impacted and could be managed using a remote application such as Cisco Adaptive Security Device Manager (ASDM).
- CVSS
- 5.3
- EPSS
- 0%
- Published
- 2024-10-23
- MEDIUMCVE-2024-20384
CVE-2024-20384
A vulnerability in the Network Service Group (NSG) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. This vulnerability is due to a logic error that occurs when NSG ACLs are populated on an affected device. An attacker could exploit this vulnerability by establishing a connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.
- CVSS
- 5.8
- EPSS
- 0%
- Published
- 2024-10-23
- HIGHCVE-2026-20082
CVE-2026-20082
A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly. This vulnerability is due to improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features.
- CVSS
- 8.6
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20073
CVE-2026-20073
A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an affected device. This vulnerability is due to improper error handling when an affected device that is joining a cluster runs out of memory while replicating access control rules. An attacker could exploit this vulnerability by sending traffic that should be blocked through the device. A successful exploit could allow the attacker to bypass access controls and reach devices in protected networks.
- CVSS
- 5.8
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20009
CVE-2026-20009
A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute commands as a specific user. This vulnerability is due to insufficient validation of user input during the SSH authentication phase. An attacker could exploit this vulnerability by submitting crafted input during SSH authentication to an affected device. A successful exploit could allow the attacker to log in to the device as a specific user without the private SSH key of that user. To exploit this vulnerability, the attacker must possess a valid username and the associated public key. The private key is not required. Notes: Exploitation of this vulnerability does not provide the attacker with root access. The authentication, authorization, and accounting (AAA) configuration command auto-enable is not affected by this vulnerability.
- CVSS
- 5.3
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2024-20382
CVE-2024-20382
A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2024-10-23
- HIGHCVE-2026-20039
CVE-2026-20039
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
- CVSS
- 8.6
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20101
CVE-2026-20101
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
- CVSS
- 8.6
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20103
CVE-2026-20103
A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition to new Remote Access SSL VPN connections. This does not affect the management interface, though it may become temporarily unresponsive. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device web interface to stop responding, resulting in a DoS condition.
- CVSS
- 8.6
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20016
CVE-2026-20016
A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.
- CVSS
- 6.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20106
CVE-2026-20106
A vulnerability in the Remote Access SSL VPN, HTTP management and MUS functionality, of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition requiring a manual reboot. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a DoS condition.
- CVSS
- 5.3
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20105
CVE-2026-20105
A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to exhaust device memory resulting in a denial of service (DoS) condition.This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
- CVSS
- 7.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20015
CVE-2026-20015
A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device that may impact the availability of services to devices elsewhere in the network. This vulnerability is due to a memory leak when parsing IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust resources, causing a DoS condition that will eventually require the device to be manually reloaded.
- CVSS
- 5.8
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20013
CVE-2026-20013
A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to memory exhaustion caused by not freeing memory during IKEv2 packet processing. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust resources, causing a DoS condition that will eventually require the device to manually reload.
- CVSS
- 5.8
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20049
CVE-2026-20049
A vulnerability in the processing of Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the allocation of an insufficiently sized block of memory. An attacker could exploit this vulnerability by sending crafted GCM-encrypted IPsec traffic to an affected device. A successful exploit could allow the attacker to cause an unexpected reload of the device, resulting in a DoS condition. To exploit this vulnerability, the attacker must have valid credentials to establish a VPN connection with the affected device.
- CVSS
- 7.7
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20014
CVE-2026-20014
A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.
- CVSS
- 7.7
- EPSS
- 0%
- Published
- 2026-03-04
- HIGHCVE-2026-20100
CVE-2026-20100
A vulnerability in the LUA interperter of the Remote Access SSL VPN feature of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker with a valid VPN connection to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This does not affect the management or MUS interfaces. This vulnerability is due to trusting user input without validation in the LUA interprerter. An attacker could exploit this vulnerability by sending crafted HTTP packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
- CVSS
- 7.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20069
CVE-2026-20069
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.
- CVSS
- 4.3
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20102
CVE-2026-20102
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20070
CVE-2026-20070
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link to a malicious website that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the VPN web server.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20020
CVE-2026-20020
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. If OSPF authentication is enabled, the attacker must know the secret key to exploit this vulnerability. This vulnerability is due to insufficient input validation when processing OSPF update packets. An attacker could exploit this vulnerability by sending crafted OSPF update packets. A successful exploit could allow the attacker to create a buffer overflow, causing the affected device to reload, resulting in a DoS condition.
- CVSS
- 5.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20021
CVE-2026-20021
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
- CVSS
- 4.3
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20022
CVE-2026-20022
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the command debug ip ospf canon. This vulnerability is due to insufficient input validation when processing OSPF LSU packets. An attacker could exploit this vulnerability by sending crafted unauthenticated OSPF packets. A successful exploit could allow the attacker to write to memory outside of the packet data, causing the device to reload, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20024
CVE-2026-20024
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to heap corruption in OSPF when parsing packets. An attacker could exploit this vulnerability by sending crafted packets to the OSPF service. A successful exploit could allow the attacker to corrupt the heap, causing the affected device to reload, resulting in a DoS condition.
- CVSS
- 5.7
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20025
CVE-2026-20025
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To exploit this vulnerability, the attacker must have the OSPF secret key. This vulnerability is due to insufficient input validation when processing OSPF link-state update (LSU) packets. An attacker could exploit this vulnerability by sending crafted OSPF LSU packets. A successful exploit could allow the attacker to corrupt the heap, causing the device to reload, resulting in a DoS condition.
- CVSS
- 6.8
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20023
CVE-2026-20023
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to corrupt memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to memory corruption when parsing OSPF protocol packets. An attacker could exploit this vulnerability by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to cause memory corruption causing the affected device to reboot, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20008
CVE-2026-20008
A vulnerability in a small subset of CLI commands that are used on Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to craft Lua code that could be used on the underlying operating system as root. This vulnerability exists because user-provided input is not properly sanitized. An attacker could exploit this vulnerability by crafting valid Lua code and submitting it as a malicious parameter for a CLI command. A successful exploit could allow the attacker to inject Lua code, which could lead to arbitrary code execution as the root user. To exploit this vulnerability, an attacker must have valid Administrator credentials.
- CVSS
- 6
- EPSS
- 0%
- Published
- 2026-03-04
Stop checking versions by hand
Is your whole fleet exposed, not just this Cisco ASA?
VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.
Free to start · no credit card
Other Cisco ASA versions
- 9.18(1) 56 CVEs · 6 KEV
- 9.18(2)5 55 CVEs · 6 KEV
- 9.18(2) 55 CVEs · 6 KEV
- 9.18(1)3 55 CVEs · 6 KEV
- 9.19(1) 54 CVEs · 6 KEV
- 9.18(2)7 54 CVEs · 6 KEV
- 9.18(2)8 53 CVEs · 6 KEV
- 9.17(1) 53 CVEs · 6 KEV
- 9.16(2)7 53 CVEs · 6 KEV
- 9.16(2)3 53 CVEs · 6 KEV
- 9.16(2)11 53 CVEs · 6 KEV
- 9.16(2) 53 CVEs · 6 KEV
- 9.16(1)28 53 CVEs · 6 KEV
- 9.16(1) 53 CVEs · 6 KEV