Skip to main content
CloudKey
English Français
Request a demo

9 actively exploited

Cisco ASA 9.8(2)28: known CVEs & fixed releases

30 CVEs affect this build · 9 in CISA KEV (actively exploited) · highest CVSS 9.9 · 38 builds behind the latest 9.8(4)48 · updated 2026-06-23

Patch path: upgrade to 9.8(4)20 or 9.8(4)34 to clear the exploited issues below.

  • KEV · exploited HIGH
    CVE-2020-3452

    Cisco ASA and FTD Read-Only Path Traversal Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.

    CVSS
    7.5
    EPSS
    100%
    KEV added
    2021-11-03
    Published
    2020-07-22
    Fixed in 9.10(1)42, 9.12(3)12, 9.13(1)10, 9.14(1)10, 9.6(4)42, 9.8(4)20, 9.9(2)74 NVD ↗Cisco ↗CISA ↗packetstormsecurity.com ↗
  • KEV · exploited HIGH
    CVE-2025-20362

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.

    CVSS
    8.6
    EPSS
    86%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.18(4)67, 9.20(4)10, 9.22(2)14, 9.23(1)19 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited MEDIUM
    CVE-2020-3580

    Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful exploitation could allow an attacker to perform cross-site scripting (XSS) in the context of the interface or access sensitive browser-based information.

    CVSS
    6.1
    EPSS
    85%
    KEV added
    2021-11-03
    Published
    2020-10-21
    Fixed in 9.12(4)13, 9.13(1)21, 9.14(2)8, 9.15(1)15, 9.8(4)34, 9.9(2)85 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited HIGH
    CVE-2020-3259

    Cisco ASA and FTD Information Disclosure Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.

    CVSS
    7.5
    EPSS
    72%
    KEV added
    2024-02-15
    Published
    2020-05-06
    Fixed in 9.10(1)40, 9.12(3)9, 9.13(1)10, 9.8(4)20, 9.9(2)67 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited HIGH
    CVE-2024-20353

    Cisco ASA and FTD Denial of Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition.

    CVSS
    8.6
    EPSS
    63%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited CRITICAL
    CVE-2025-20333

    Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

    Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

    CVSS
    9.9
    EPSS
    40%
    KEV added
    2025-09-25
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)85, 9.17(1)45, 9.18(4)47, 9.19(1)37, 9.20(3)7, 9.22(1)3 NVD ↗Cisco ↗CISA ↗
  • KEV · exploited CRITICAL
    CVE-2023-20269

    Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability

    Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or establish a clientless SSL VPN session with an unauthorized user.

    CVSS
    9.1
    EPSS
    22%
    KEV added
    2023-09-13
    Published
    2023-09-06
    NVD ↗Cisco ↗CISA ↗
  • KEV · exploited MEDIUM
    CVE-2024-20359

    Cisco ASA and FTD Privilege Escalation Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root.

    CVSS
    6
    EPSS
    17%
    KEV added
    2024-04-24
    Published
    2024-04-24
    NVD ↗Cisco ↗CISA ↗blog.talosintelligence.com ↗
  • KEV · exploited MEDIUM
    CVE-2024-20481

    Cisco ASA and FTD Denial-of-Service Vulnerability

    Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service.

    CVSS
    5.8
    EPSS
    16%
    KEV added
    2024-10-24
    Published
    2024-10-23
    NVD ↗Cisco ↗CISA ↗
  • CRITICAL
    CVE-2025-20363

    CVE-2025-20363

    A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

    CVSS
    9
    EPSS
    8%
    Published
    2025-09-25
    Fixed in 9.12(4)72, 9.14(4)28, 9.16(4)84, 9.18(4)57, 9.19(1)42, 9.20(3)16, 9.22(2), 9.23(1)3 NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20358

    CVE-2024-20358

    A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functionality that is available in Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability exists because the contents of a backup file are improperly sanitized at restore time. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system as root.

    CVSS
    6.7
    EPSS
    1%
    Published
    2024-04-24
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20081

    CVE-2023-20081

    A vulnerability in the IPv6 DHCP (DHCPv6) client module of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of DHCPv6 messages. An attacker could exploit this vulnerability by sending crafted DHCPv6 messages to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Note: To successfully exploit this vulnerability, the attacker would need to either control the DHCPv6 server or be in a man-in-the-middle position.

    CVSS
    5.9
    EPSS
    1%
    Published
    2023-03-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20086

    CVE-2023-20086

    A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20331

    CVE-2024-20331

    A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating. This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions.

    CVSS
    5.9
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2023-20095

    CVE-2023-20095

    A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of HTTPS requests. An attacker could exploit this vulnerability by sending crafted HTTPS requests to an affected system. A successful exploit could allow the attacker to cause resource exhaustion, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20256

    CVE-2023-20256

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    1%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20493

    CVE-2024-20493

    A vulnerability in the login authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to deny further VPN user authentications for several minutes, resulting in a temporary denial of service (DoS) condition. This vulnerability is due to ineffective handling of memory resources during the authentication process. An attacker could exploit this vulnerability by sending crafted packets, which could cause resource exhaustion of the authentication process. A successful exploit could allow the attacker to deny authentication for Remote Access SSL VPN users for several minutes, resulting in a temporary DoS condition.

    CVSS
    5.3
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20402

    CVE-2024-20402

    A vulnerability in the SSL VPN feature for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a logic error in memory management when the device is handling SSL VPN connections. An attacker could exploit this vulnerability by sending crafted SSL/TLS packets to the SSL VPN server of the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20495

    CVE-2024-20495

    A vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition on an affected device. This vulnerability is due to improper validation of client key data after the TLS session is established. An attacker could exploit this vulnerability by sending a crafted key value to an affected system over the secure TLS session. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

    CVSS
    8.6
    EPSS
    1%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20245

    CVE-2023-20245

    Multiple vulnerabilities in the per-user-override feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should be denied to flow through an affected device. These vulnerabilities are due to a logic error that could occur when the affected software constructs and applies per-user-override rules. An attacker could exploit these vulnerabilities by connecting to a network through an affected device that has a vulnerable configuration. A successful exploit could allow the attacker to bypass the interface ACL and access resources that would should be protected.

    CVSS
    5.8
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • HIGH
    CVE-2025-20182

    CVE-2025-20182

    A vulnerability in the Internet Key Exchange version 2 (IKEv2) protocol processing of Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, Cisco IOS Software, and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation when processing IKEv2 messages. An attacker could exploit this vulnerability by sending crafted IKEv2 traffic to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition on the affected device.

    CVSS
    8.6
    EPSS
    0%
    Published
    2025-05-07
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20299

    CVE-2024-20299

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20297

    CVE-2024-20297

    A vulnerability in the AnyConnect firewall for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass a configured access control list (ACL) and allow traffic that should have been denied to flow through an affected device. This vulnerability is due to a logic error in populating group ACLs when an AnyConnect client establishes a new session toward an affected device. An attacker could exploit this vulnerability by establishing an AnyConnect connection to the affected device. A successful exploit could allow the attacker to bypass configured ACL rules.

    CVSS
    5.8
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • HIGH
    CVE-2024-20408

    CVE-2024-20408

    A vulnerability in the Dynamic Access Policies (DAP) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly. To exploit this vulnerability, an attacker would need valid remote access VPN user credentials on the affected device. This vulnerability is due to improper validation of data in HTTPS POST requests. An attacker could exploit this vulnerability by sending a crafted HTTPS POST request to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

    CVSS
    7.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20341

    CVE-2024-20341

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20275

    CVE-2023-20275

    A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. This vulnerability is due to improper validation of the packet's inner source IP address after decryption. An attacker could exploit this vulnerability by sending crafted packets through the tunnel. A successful exploit could allow the attacker to send a packet impersonating another VPN user's IP address. It is not possible for the attacker to receive return packets.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-12-12
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20382

    CVE-2024-20382

    A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.

    CVSS
    6.1
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20355

    CVE-2024-20355

    A vulnerability in the implementation of SAML 2.0 single sign-on (SSO) for remote access VPN services in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to successfully establish a VPN session on an affected device. This vulnerability is due to improper separation of authorization domains when using SAML authentication. An attacker could exploit this vulnerability by using valid credentials to successfully authenticate using their designated connection profile (tunnel group), intercepting the SAML SSO token that is sent back from the Cisco ASA device, and then submitting the same SAML SSO token to a different tunnel group for authentication. A successful exploit could allow the attacker to establish a remote access VPN session using a connection profile that they are not authorized to use and connect to secured networks behind the affected device that they are not authorized to access. For successful exploitation, the attacker must have valid remote access VPN user credentials.

    CVSS
    5
    EPSS
    0%
    Published
    2024-05-22
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2023-20247

    CVE-2023-20247

    A vulnerability in the remote access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to bypass a configured multiple certificate authentication policy and connect using only a valid username and password. This vulnerability is due to improper error handling during remote access VPN authentication. An attacker could exploit this vulnerability by sending crafted requests during remote access VPN session establishment. A successful exploit could allow the attacker to bypass the configured multiple certificate authentication policy while retaining the privileges and permissions associated with the original connection profile.

    CVSS
    4.3
    EPSS
    0%
    Published
    2023-11-01
    NVD ↗Cisco ↗
  • MEDIUM
    CVE-2024-20485

    CVE-2024-20485

    A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a specific file when it is read from system flash memory. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.

    CVSS
    6.7
    EPSS
    0%
    Published
    2024-10-23
    NVD ↗Cisco ↗

Stop checking versions by hand

Is your whole fleet exposed, not just this Cisco ASA?

VulnMonitor reconciles every advisory against your real inventory and ranks what matters by actual exploitation (CISA KEV, EPSS), not raw CVSS. New CVE hits your gear, it is on your queue with the fix attached.

Start free How VulnMonitor works

Free to start · no credit card

Other Cisco ASA versions