Description
A vulnerability in the Do Not Decrypt exclusion feature of the SSL decryption feature of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

This vulnerability is due to improper memory management during the inspection of TLS 1.2 encrypted traffic. An attacker could exploit this vulnerability by sending crafted TLS 1.2 encrypted traffic through an affected device. A successful exploit could allow the attacker to cause a reload of an affected device.
Note: This vulnerability only affects traffic that is encrypted by TLS 1.2. Other versions of TLS are not affected.
Published: 2026-03-04
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper memory management within Cisco Secure Firewall Threat Defense’s decryption engine when processing TLS 1.2 traffic. An unauthenticated attacker can fabricate TLS 1.2 packets that trigger a memory corruption, causing the device to reload and disrupting network services. This results in a denial‑of‑service condition that affects all management and traffic functions of the affected device. The weakness is a classic memory leak/overflow issue classified under CWE‑404.

Affected Systems

Cisco Secure Firewall Threat Defense (FTD) software is affected. All devices running the Do Not Decrypt exclusion feature with TLS 1.2 decryption enabled may be vulnerable. No specific version range is provided in the advisory, so operators should verify whether their deployed firmware includes the fix following the vendor’s guidance.

Risk and Exploitability

The CVSS v3.1 base score of 6.8 indicates a moderate severity. The EPSS score is reported as less than 1 %, implying a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is remote, unauthenticated, and only requires the ability to inject crafted TLS 1.2 traffic, which is feasible for anyone who can reach the firewall over the network.

Generated by OpenCVE AI on April 16, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco Secure Firewall Threat Defense firmware update that addresses the TLS 1.2 decryption memory management issue.
  • If a patch cannot be applied immediately, block or filter outbound/inbound TLS 1.2 traffic to the device or disable SSL inspection for the affected traffic.
  • Continuously monitor firewall logs and system status for unexpected reloads or performance degradation, and adjust inspection rules accordingly.

Generated by OpenCVE AI on April 16, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco firepower Threat Defense Software
CPEs cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*
Vendors & Products Cisco firepower Threat Defense Software

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the Do Not Decrypt exclusion feature of the SSL decryption feature of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper memory management during the inspection of TLS 1.2 encrypted traffic. An attacker could exploit this vulnerability by sending crafted TLS 1.2 encrypted traffic through an affected device. A successful exploit could allow the attacker to cause a reload of an affected device. Note: This vulnerability only affects traffic that is encrypted by TLS 1.2. Other versions of TLS are not affected.
Title Cisco Secure Firewall Threat Defense Decryption Policy Denial of Service Vulnerability
Weaknesses CWE-404
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Cisco Firepower Threat Defense Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:47:10.363Z

Reserved: 2025-10-08T11:59:15.355Z

Link: CVE-2026-20050

cve-icon Vulnrichment

Updated: 2026-03-04T20:47:06.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:19.173

Modified: 2026-04-16T19:49:51.210

Link: CVE-2026-20050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses