Description
A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly.

This vulnerability is due to improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features.
Published: 2026-03-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (DoS) affecting all TCP connections
Action: Apply Patch
AI Analysis

Impact

A flaw in the way Cisco Secure Firewall Adaptive Security Appliance (ASA) Software limits embryonic connections can cause the device to drop legitimate incoming TCP SYN packets when under attack. An unauthenticated attacker may craft traffic that triggers this behavior, which in turn prevents establishment of any TCP connection—including remote management access, Remote Access VPN, and other TCP‑based protocols—resulting in a denial of service. (CWE‑772).

Affected Systems

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software is impacted. No specific vulnerable versions are listed in the advisory; all versions present in the product line should be considered potentially affected unless otherwise specified by Cisco.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The EPSS score is below 1 %, reflecting a low predicted exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw can be triggered remotely by sending crafted TCP traffic, the likely attack vector is over the network. Successful exploitation requires only unauthenticated network access and results in a service outage for all TCP‑based services on the device.

Generated by OpenCVE AI on April 16, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or firmware update for Cisco ASA software as soon as it becomes available.
  • Reduce the maximum number of concurrent embryonic connections or implement traffic shaping to limit the impact of a SYN flood.
  • Configure the firewall or upstream devices to detect and block SYN‑Flood traffic before it reaches the ASA, such as by enabling SYN flood protection on IDS/IPS or load balancers.

Generated by OpenCVE AI on April 16, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title DoS via TCP SYN mismanagement in Cisco ASA

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Vendors & Products Cisco
Cisco adaptive Security Appliance Software

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly. This vulnerability is due to improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features.
Weaknesses CWE-772
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Cisco Adaptive Security Appliance Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-04T20:52:52.679Z

Reserved: 2025-10-08T11:59:15.364Z

Link: CVE-2026-20082

cve-icon Vulnrichment

Updated: 2026-03-04T20:52:49.500Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:24.483

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses