Description
A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute commands as a specific user.

This vulnerability is due to insufficient validation of user input during the SSH authentication phase. An attacker could exploit this vulnerability by submitting crafted input during SSH authentication to an affected device. A successful exploit could allow the attacker to log in to the device as a specific user without the private SSH key of that user. To exploit this vulnerability, the attacker must possess a valid username and the associated public key. The private key is not required.
Notes:

Exploitation of this vulnerability does not provide the attacker with root access.
The authentication, authorization, and accounting (AAA) configuration command auto-enable is not affected by this vulnerability.  
Published: 2026-03-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SSH authentication bypass allowing remote login as a specified user without the private key
Action: Apply Patch
AI Analysis

Impact

A flaw in Cisco Secure Firewall ASA's proprietary SSH stack permits an attacker who knows a valid username and the associated public key to craft input during the authentication phase and gain login privileges. The attacker does not need the private key and does not achieve root-level rights, but can execute commands as the compromised user. This represents a partial authentication bypass that may expose internal commands and data accessible to that user account.

Affected Systems

The vulnerability impacts Cisco Secure Firewall Adaptive Security Appliance (ASA) Software. No specific product versions are listed, so all released versions of Cisco ASA that incorporate the affected SSH stack may be susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not present in the CISA KEV catalog. An attacker must be able to connect to the device’s SSH service from the network, possess a valid username and the corresponding public key, and send the crafted authentication data. The attack vector is remote, unauthenticated, and requires no administrative privileges beyond normal user credentials.

Generated by OpenCVE AI on April 16, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Cisco’s advisory page for the latest fixed ASA firmware version and apply the patch or upgrade accordingly
  • If an immediate patch is unavailable, consider disabling SSH key authentication or enforcing the use of hardened key policies
  • Limit SSH access to trusted IP ranges or use VPN tunneling to mitigate remote attack risk
  • Enable detailed logging of SSH login attempts and review logs regularly for suspicious activity

Generated by OpenCVE AI on April 16, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Vendors & Products Cisco
Cisco adaptive Security Appliance Software

Wed, 04 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the implementation of the proprietary SSH stack with SSH key-based authentication in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to log in to a Cisco Secure Firewall ASA device and execute commands as a specific user. This vulnerability is due to insufficient validation of user input during the SSH authentication phase. An attacker could exploit this vulnerability by submitting crafted input during SSH authentication to an affected device. A successful exploit could allow the attacker to log in to the device as a specific user without the private SSH key of that user. To exploit this vulnerability, the attacker must possess a valid username and the associated public key. The private key is not required. Notes: Exploitation of this vulnerability does not provide the attacker with root access. The authentication, authorization, and accounting (AAA) configuration command auto-enable is not affected by this vulnerability.&nbsp;&nbsp;
Title Cisco Secure Firewall Adaptive Security Appliance SSH Partial Private Key Authentication Bypass Vulnerability
Weaknesses CWE-138
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Cisco Adaptive Security Appliance Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-05T15:49:42.424Z

Reserved: 2025-10-08T11:59:15.350Z

Link: CVE-2026-20009

cve-icon Vulnrichment

Updated: 2026-03-05T15:49:36.860Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:14.833

Modified: 2026-04-16T20:13:12.193

Link: CVE-2026-20009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses