Description
A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an affected device.

This vulnerability is due to improper error handling when an affected device that is joining a cluster runs out of memory while replicating access control rules. An attacker could exploit this vulnerability by sending traffic that should be blocked through the device. A successful exploit could allow the attacker to bypass access controls and reach devices in protected networks.
Published: 2026-03-04
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access control bypass allowing traffic that should be denied to traverse the device
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper error handling when an ASA or FTD device, participating in a cluster, exhausts memory while replicating access control rules. An unauthenticated, remote attacker can send traffic that should otherwise be denied, bypassing the firewall’s policies. If the exploit succeeds, the attacker gains the ability to reach devices within protected networks, compromising network segmentation and potentially exposing sensitive data. The weakness is classified as CWE-284, indicating an access control flaw.

Affected Systems

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software are affected. The issue is tied to devices that are members of a cluster and may require memory for ACL replication; version details are not supplied, so administrators should verify whether their ASA or FTD deployments are clustered and whether the current firmware incorporates the patch.

Risk and Exploitability

The CVSS score of 5.8 indicates moderate severity. The EPSS score of less than 1% reflects a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector involves remote, unauthenticated traffic sent to a cluster member under memory pressure; while difficult to trigger, it is feasible with sufficient traffic, resulting in a moderate exposure that could enable lateral movement into a protected network.

Generated by OpenCVE AI on April 18, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco ASA or FTD firmware update that addresses the memory‑exhaustion error handling in ACL replication.
  • If a patch is unavailable, isolate the affected device from the cluster replication process or revert it to a non‑clustered configuration to prevent memory exhaustion during ACL updates.
  • Monitor device logs for anomalous forwarding of traffic that should be denied and verify that ACL enforcement remains intact on all critical interfaces.

Generated by OpenCVE AI on April 18, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should be denied through an affected device. This vulnerability is due to improper error handling when an affected device that is joining a cluster runs out of memory while replicating access control rules. An attacker could exploit this vulnerability by sending traffic that should be blocked through the device. A successful exploit could allow the attacker to bypass access controls and reach devices in protected networks.
Title Cisco Secure Firewall Adaptive Security Appliance Software and Cisco Secure Firewall Threat Defense Software Access Control List Bypass Vulnerability
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Cisco Adaptive Security Appliance Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T18:07:54.606Z

Reserved: 2025-10-08T11:59:15.362Z

Link: CVE-2026-20073

cve-icon Vulnrichment

Updated: 2026-03-04T18:07:49.361Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:23.640

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses