Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Published: 2026-03-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in the SSL VPN web server of the Cisco Secure Firewall ASA and FTD allows an unauthenticated, remote attacker to trigger a denial of service by sending a stream of malformed HTTP requests. The vulnerability stems from improper memory management identified as CWE-244. Successful exploitation forces the device to reload, interrupting legitimate VPN traffic and rendering the firewall inoperative until it recovers.

Affected Systems

The affected products are Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. Precise version information is not provided in the advisory, so all releases prior to the fix should be considered vulnerable until a vendor update is applied.

Risk and Exploitability

With a CVSS base score of 8.6 the flaw presents a high severity risk, but the EPSS score of under 1% indicates that exploitation is currently unlikely and it is not listed in the CISA KEV catalog. Nevertheless, because the attack requires no credentials and can be carried out from any network location that can reach the VPN web server, it poses a significant threat to uptime and availability for unattended devices.

Generated by OpenCVE AI on April 16, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Cisco’s official patch or upgrade ASA/FTD to a firmware version that resolves the SSL VPN DoS flaw.
  • If an immediate patch is unavailable, restrict incoming VPN traffic to trusted IP addresses using firewall rules or VLAN segmentation.
  • Disable the SSL VPN feature on devices that do not require it, or reconfigure to only allow secure TLS connections, and monitor for abnormal request patterns.

Generated by OpenCVE AI on April 16, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco firepower Threat Defense Software
CPEs cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
Vendors & Products Cisco firepower Threat Defense Software

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of&nbsp;crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Title Cisco Adaptive Security Appliance and Firepower Threat Defense Software SSL VPN Authentication Denial of Service Vulnerability
Weaknesses CWE-244
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-05T15:49:08.973Z

Reserved: 2025-10-08T11:59:15.354Z

Link: CVE-2026-20039

cve-icon Vulnrichment

Updated: 2026-03-05T15:49:05.817Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:17.140

Modified: 2026-04-16T20:01:23.710

Link: CVE-2026-20039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses