Build advisory
Cisco ASA 9.23(1)19: known CVEs & fixed releases
6 CVEs affect this build · highest CVSS 6.5 · 2 builds behind the latest 9.23(1)26 · updated 2026-06-23
Patch path: upgrade to 9.23(1)26 to clear the exploited issues below.
- MEDIUMCVE-2026-20073
CVE-2026-20073
A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an affected device. This vulnerability is due to improper error handling when an affected device that is joining a cluster runs out of memory while replicating access control rules. An attacker could exploit this vulnerability by sending traffic that should be blocked through the device. A successful exploit could allow the attacker to bypass access controls and reach devices in protected networks.
- CVSS
- 5.8
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20102
CVE-2026-20102
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the SAML feature and access sensitive, browser-based information. This vulnerability is due to insufficient input validation of multiple HTTP parameters. An attacker could exploit this vulnerability by persuading a user to access a malicious link. A successful exploit could allow the attacker to conduct a reflected XSS attack through an affected device.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20070
CVE-2026-20070
A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by persuading a user to follow a link to a malicious website that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the VPN web server.
- CVSS
- 6.1
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20021
CVE-2026-20021
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to improperly validating input by the OSPF protocol when parsing packets. An attacker could exploit this vulnerability by by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
- CVSS
- 4.3
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20022
CVE-2026-20022
A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the command debug ip ospf canon. This vulnerability is due to insufficient input validation when processing OSPF LSU packets. An attacker could exploit this vulnerability by sending crafted unauthenticated OSPF packets. A successful exploit could allow the attacker to write to memory outside of the packet data, causing the device to reload, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
- MEDIUMCVE-2026-20023
CVE-2026-20023
A vulnerability in the OSPF protocol of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to corrupt memory on an affected device, resulting in a denial of service (DoS) condition. This vulnerability is due to memory corruption when parsing OSPF protocol packets. An attacker could exploit this vulnerability by sending crafted OSPF packets to an affected device. A successful exploit could allow the attacker to cause memory corruption causing the affected device to reboot, resulting in a DoS condition.
- CVSS
- 6.5
- EPSS
- 0%
- Published
- 2026-03-04
Stop checking versions by hand
Is your whole fleet exposed, not just this Cisco ASA?
VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.
Free to start · no credit card
Other Cisco ASA versions
- 9.18(1) 56 CVEs · 6 KEV
- 9.18(2)5 55 CVEs · 6 KEV
- 9.18(2) 55 CVEs · 6 KEV
- 9.18(1)3 55 CVEs · 6 KEV
- 9.19(1) 54 CVEs · 6 KEV
- 9.18(2)7 54 CVEs · 6 KEV
- 9.18(2)8 53 CVEs · 6 KEV
- 9.17(1) 53 CVEs · 6 KEV
- 9.16(2)7 53 CVEs · 6 KEV
- 9.16(2)3 53 CVEs · 6 KEV
- 9.16(2)11 53 CVEs · 6 KEV
- 9.16(2) 53 CVEs · 6 KEV
- 9.16(1)28 53 CVEs · 6 KEV
- 9.16(1) 53 CVEs · 6 KEV