Description
A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device.

This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.
Published: 2026-03-04
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Command Injection
Action: Patch Immediately
AI Analysis

Impact

A flaw in the Cisco FXOS Software CLI feature allows an authenticated, local administrator to submit crafted command arguments that bypass input validation. This defect can be leveraged to execute arbitrary operating‑system commands with root privileges, effectively granting the attacker full control over the device’s host environment. The vulnerability is limited to devices on which the attacker already holds administrative credentials.

Affected Systems

Cisco Secure Firewall Threat Defense (FTD) Software, including Cisco Secure Firewall ASA Software, is affected. No specific version information was provided in the advisory; all commonly deployed releases should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS base score of 6 indicates medium severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because exploitation requires valid administrative credentials and access to the CLI, the attack vector is local, and an attacker would need to compromise the device’s management plane or otherwise gain user access before the flaw can be abused.

Generated by OpenCVE AI on April 16, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco Secure Firewall FTD software update that contains the fix for the CLI command injection flaw.
  • If an update cannot be applied immediately, limit physical and logical access to the device’s CLI and restrict administrative privileges to trusted personnel only.
  • Implement additional input filtering or monitoring on the CLI to detect suspicious command patterns, in line with principles for mitigating CWE‑88 vulnerabilities.

Generated by OpenCVE AI on April 16, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Title Authenticated Local CLI Command Injection in Cisco Secure Firewall FTD

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the Cisco FXOS Software CLI feature for Cisco Secure Firewall ASA Software and Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for specific CLI commands. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Cisco Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-05T04:55:50.590Z

Reserved: 2025-10-08T11:59:15.351Z

Link: CVE-2026-20016

cve-icon Vulnrichment

Updated: 2026-03-04T21:33:16.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T19:16:11.443

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses