CVE-2026-20017 - Vulnerability Details

- Cisco Secure FTD Software Authenticated Command Injection Vulnerability

Description

A vulnerability in the CLI of Cisco Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device.

This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for a specific CLI command. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.

Published: 2026-03-04

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the command‑line interface of Cisco Secure FTD Software allows an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. The vulnerability arises from insufficient validation of user‑supplied command arguments for a specific CLI command, making it a classic authenticated command injection that can be leveraged with valid administrative credentials. This is identified as CWE‑250, indicating elevation of privilege through improper input handling. Successful exploitation would give an attacker kernel‑level access, potentially compromising the device’s integrity, confidentiality, and availability.

Affected Systems

The affected product is Cisco Secure Firewall Threat Defense (FTD) Software. No specific version range is listed in the advisory, so all deployed instances of this software that have not yet applied the published fix are considered vulnerable.

Risk and Exploitability

The base CVSS score of 6.0 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates a very low exploitation probability, with little evidence of widespread attacks. Because the attacker must first possess valid administrative credentials—either locally or remotely—the probability of a public exploit is limited. However, inside a compromised environment or for insiders with administrative access, the impact is severe, enabling complete system takeover. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation to date.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Secure Firewall Threat Defense (FTD) Software

unknown

Version	Status	Constraints
`6.4.0.1`	affected	—
`6.4.0.2`	affected	—
`6.4.0.5`	affected	—
`6.4.0`	affected	—
`6.4.0.3`	affected	—
`6.4.0.4`	affected	—
`6.4.0.6`	affected	—
`6.4.0.7`	affected	—
`6.4.0.8`	affected	—
`6.4.0.9`	affected	—
`6.4.0.10`	affected	—
`6.4.0.11`	affected	—
`6.4.0.12`	affected	—
`7.0.0`	affected	—
`7.0.0.1`	affected	—
`7.0.1`	affected	—
`7.1.0`	affected	—
`6.4.0.13`	affected	—
`7.0.1.1`	affected	—
`6.4.0.14`	affected	—
`7.1.0.1`	affected	—
`7.0.2`	affected	—
`6.4.0.15`	affected	—
`7.2.0`	affected	—
`7.0.2.1`	affected	—
`7.0.3`	affected	—
`7.1.0.2`	affected	—
`7.2.0.1`	affected	—
`7.0.4`	affected	—
`7.2.1`	affected	—
`7.0.5`	affected	—
`6.4.0.16`	affected	—
`7.3.0`	affected	—
`7.2.2`	affected	—
`7.2.3`	affected	—
`7.3.1`	affected	—
`7.1.0.3`	affected	—
`7.2.4`	affected	—
`7.0.6`	affected	—
`7.2.5`	affected	—
`7.2.4.1`	affected	—
`7.3.1.1`	affected	—
`7.4.0`	affected	—
`6.4.0.17`	affected	—
`7.0.6.1`	affected	—
`7.2.5.1`	affected	—
`7.4.1`	affected	—
`7.2.6`	affected	—
`7.0.6.2`	affected	—
`7.4.1.1`	affected	—
`6.4.0.18`	affected	—
`7.2.7`	affected	—
`7.2.5.2`	affected	—
`7.3.1.2`	affected	—
`7.2.8`	affected	—
`7.6.0`	affected	—
`7.4.2`	affected	—
`7.2.8.1`	affected	—
`7.0.6.3`	affected	—
`7.4.2.1`	affected	—
`7.2.9`	affected	—
`7.0.7`	affected	—
`7.7.0`	affected	—
`7.4.2.2`	affected	—
`7.2.10`	affected	—
`7.6.1`	affected	—
`7.4.2.3`	affected	—
`7.0.8`	affected	—
`7.6.2`	affected	—
`7.7.10`	affected	—
`7.0.8.1`	affected	—
`7.6.2.1`	affected	—
`7.7.10.1`	affected	—
`7.4.2.4`	affected	—
`7.2.10.2`	affected	—
`7.4.3`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Secure Firewall Threat Defense

100%

Version	Status	Scheme	Platform
`6.4.0.1`	affected	generic	—
`6.4.0.2`	affected	generic	—
`6.4.0.5`	affected	generic	—
`6.4.0`	affected	semver	—
`6.4.0.3`	affected	generic	—
`6.4.0.4`	affected	generic	—
`6.4.0.6`	affected	generic	—
`6.4.0.7`	affected	generic	—
`6.4.0.8`	affected	generic	—
`6.4.0.9`	affected	generic	—
`6.4.0.10`	affected	generic	—
`6.4.0.11`	affected	generic	—
`6.4.0.12`	affected	generic	—
`7.0.0`	affected	semver	—
`7.0.0.1`	affected	generic	—
`7.0.1`	affected	semver	—
`7.1.0`	affected	semver	—
`6.4.0.13`	affected	generic	—
`7.0.1.1`	affected	generic	—
`6.4.0.14`	affected	generic	—
`7.1.0.1`	affected	generic	—
`7.0.2`	affected	semver	—
`6.4.0.15`	affected	generic	—
`7.2.0`	affected	semver	—
`7.0.2.1`	affected	generic	—
`7.0.3`	affected	semver	—
`7.1.0.2`	affected	generic	—
`7.2.0.1`	affected	generic	—
`7.0.4`	affected	semver	—
`7.2.1`	affected	semver	—
`7.0.5`	affected	semver	—
`6.4.0.16`	affected	generic	—
`7.3.0`	affected	semver	—
`7.2.2`	affected	semver	—
`7.2.3`	affected	semver	—
`7.3.1`	affected	semver	—
`7.1.0.3`	affected	generic	—
`7.2.4`	affected	semver	—
`7.0.6`	affected	semver	—
`7.2.5`	affected	semver	—
`7.2.4.1`	affected	generic	—
`7.3.1.1`	affected	generic	—
`7.4.0`	affected	semver	—
`6.4.0.17`	affected	generic	—
`7.0.6.1`	affected	generic	—
`7.2.5.1`	affected	generic	—
`7.4.1`	affected	semver	—
`7.2.6`	affected	semver	—
`7.0.6.2`	affected	generic	—
`7.4.1.1`	affected	generic	—
`6.4.0.18`	affected	generic	—
`7.2.7`	affected	semver	—
`7.2.5.2`	affected	generic	—
`7.3.1.2`	affected	generic	—
`7.2.8`	affected	semver	—
`7.6.0`	affected	semver	—
`7.4.2`	affected	semver	—
`7.2.8.1`	affected	generic	—
`7.0.6.3`	affected	generic	—
`7.4.2.1`	affected	generic	—
`7.2.9`	affected	semver	—
`7.0.7`	affected	semver	—
`7.7.0`	affected	semver	—
`7.4.2.2`	affected	generic	—
`7.2.10`	affected	semver	—
`7.6.1`	affected	semver	—
`7.4.2.3`	affected	generic	—
`7.0.8`	affected	semver	—
`7.6.2`	affected	semver	—
`7.7.10`	affected	semver	—
`7.0.8.1`	affected	generic	—
`7.6.2.1`	affected	generic	—
`7.7.10.1`	affected	generic	—
`7.4.2.4`	affected	generic	—
`7.2.10.2`	affected	generic	—
`7.4.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Cisco Secure FTD Software patch or upgrade to a version that addresses the command injection flaw
Restrict administrative CLI access by enforcing the principle of least privilege and disabling the vulnerable command for non‑essential users
Enable logging and monitor for anomalous CLI activity to detect potential exploitation attempts

Generated by OpenCVE AI on April 18, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmd-inj-mTzGZexf

History

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco secure Firewall Threat Defense
Vendors & Products		Cisco Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the CLI of Cisco Secure FTD Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. To exploit this vulnerability, the attacker must have valid administrative credentials on an affected device. This vulnerability is due to insufficient input validation of user-supplied command arguments. An attacker could exploit this vulnerability by submitting crafted input for a specific CLI command. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.
Title		Cisco Secure FTD Software Authenticated Command Injection Vulnerability
Weaknesses		CWE-250
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-cmd-inj-mTzGZexf
Metrics		cvssV3_1 `{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Cisco Secure Firewall Threat Defense

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-04T17:41:28.160Z

Updated: 2026-03-05T04:55:53.018Z

Reserved: 2025-10-08T11:59:15.351Z

Link: CVE-2026-20017

Vulnrichment

Updated: 2026-03-04T20:48:56.382Z

NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:16.140

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses

CWE-250

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object