CVE-2026-20006 - Vulnerability Details

- Cisco Firepower Threat Defense Software and Cisco FirePOWER Services TLS with Snort 3 Denial of Service Vulnerability

Description

A vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to unexpectedly restart, resulting in a denial of service (DoS) condition.

This vulnerability is due to improper implementation of the TLS protocol. An attacker could exploit this vulnerability by sending a crafted TLS packet to an affected system. A successful exploit could allow the attacker to cause a device that is running Cisco Secure FTD Software to drop network traffic, resulting in a DoS condition. 
Note: TLS 1.3 is not affected by this vulnerability.

Published: 2026-03-04

Score: 5.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the TLS cryptography implementation of the Snort 3 Detection Engine within Cisco Secure Firewall Threat Defense (FTD) Software enables an attacker to send a specially crafted TLS packet, causing the engine to unexpectedly restart. The resulting restart forces the device to drop network traffic, creating a denial of service condition. The weakness is classified as CWE‑388, an insecure interface or protocol vulnerability that can lead to service disruption.

Affected Systems

Cisco Secure Firewall Threat Defense (FTD) Software is impacted. No specific product versions are listed in the advisory; therefore, all currently deployed FTD instances are potentially vulnerable unless documented otherwise by the vendor.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.8, indicating moderate severity, and an EPSS score below 1 %, implying a low likelihood of exploitation at present. The vulnerability is not present in Cisco’s Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is remote and unauthenticated: an external actor can target the affected firewall by transmitting the crafted TLS packet over a network connection. Successful exploitation would cause the Snort 3 engine to restart, leading to a denial of service that affects all traffic processed by the device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Secure Firewall Threat Defense (FTD) Software

unknown

Version	Status	Constraints
`7.2.0`	affected	—
`7.2.0.1`	affected	—
`7.2.1`	affected	—
`7.3.0`	affected	—
`7.2.2`	affected	—
`7.2.3`	affected	—
`7.3.1`	affected	—
`7.2.4`	affected	—
`7.2.5`	affected	—
`7.2.4.1`	affected	—
`7.3.1.1`	affected	—
`7.4.0`	affected	—
`7.2.5.1`	affected	—
`7.4.1`	affected	—
`7.2.6`	affected	—
`7.4.1.1`	affected	—
`7.2.7`	affected	—
`7.2.5.2`	affected	—
`7.3.1.2`	affected	—
`7.2.8`	affected	—
`7.6.0`	affected	—
`7.4.2`	affected	—
`7.2.8.1`	affected	—
`7.4.2.1`	affected	—
`7.2.9`	affected	—
`7.4.2.2`	affected	—
`7.2.10`	affected	—
`7.6.1`	affected	—
`7.4.2.3`	affected	—
`7.6.2`	affected	—
`7.6.2.1`	affected	—
`7.4.2.4`	affected	—
`7.2.10.2`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Secure Firewall Threat Defense

100%

Version	Status	Scheme	Platform
`7.2.0`	affected	semver	—
`7.2.0.1`	affected	generic	—
`7.2.1`	affected	semver	—
`7.3.0`	affected	semver	—
`7.2.2`	affected	semver	—
`7.2.3`	affected	semver	—
`7.3.1`	affected	semver	—
`7.2.4`	affected	semver	—
`7.2.5`	affected	semver	—
`7.2.4.1`	affected	generic	—
`7.3.1.1`	affected	generic	—
`7.4.0`	affected	semver	—
`7.2.5.1`	affected	generic	—
`7.4.1`	affected	semver	—
`7.2.6`	affected	semver	—
`7.4.1.1`	affected	generic	—
`7.2.7`	affected	semver	—
`7.2.5.2`	affected	generic	—
`7.3.1.2`	affected	generic	—
`7.2.8`	affected	semver	—
`7.6.0`	affected	semver	—
`7.4.2`	affected	semver	—
`7.2.8.1`	affected	generic	—
`7.4.2.1`	affected	generic	—
`7.2.9`	affected	semver	—
`7.4.2.2`	affected	generic	—
`7.2.10`	affected	semver	—
`7.6.1`	affected	semver	—
`7.4.2.3`	affected	semver	—
`7.6.2`	affected	semver	—
`7.6.2.1`	affected	generic	—
`7.4.2.4`	affected	generic	—
`7.2.10.2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Cisco Secure Firewall Threat Defense (FTD) Software that contains the TLS handling fix as described in the Cisco advisory.
If a patch is not immediately available, restart the Snort 3 Detection Engine or reboot the device to clear any abnormal state and restore service.
Configure firewall rules or packet filters to limit or block suspicious TLS traffic until the software update is applied, reducing the exposure surface of the vulnerability.

Generated by OpenCVE AI on April 16, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00134.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tcp-dos-rHfqnwRg

History

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco secure Firewall Threat Defense
Vendors & Products		Cisco Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to unexpectedly restart, resulting in a denial of service (DoS) condition. This vulnerability is due to improper implementation of the TLS protocol. An attacker could exploit this vulnerability by sending a crafted TLS packet to an affected system. A successful exploit could allow the attacker to cause a device that is running Cisco Secure FTD Software to drop network traffic, resulting in a DoS condition.  Note: TLS 1.3 is not affected by this vulnerability.
Title		Cisco Firepower Threat Defense Software and Cisco FirePOWER Services TLS with Snort 3 Denial of Service Vulnerability
Weaknesses		CWE-388
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-tcp-dos-rHfqnwRg
Metrics		cvssV3_1 `{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}`

Subscriptions

Cisco Secure Firewall Threat Defense

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-04T17:37:54.866Z

Updated: 2026-03-04T20:51:58.937Z

Reserved: 2025-10-08T11:59:15.349Z

Link: CVE-2026-20006

Vulnrichment

Updated: 2026-03-04T20:51:55.949Z

NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:13.803

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20006

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses

CWE-388

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object