Description
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition.

This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Published: 2026-03-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Remote Device Reload)
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from insufficient error handling when Cisco ASA and FTD SAML 2.0 SSO processes incoming SAML messages. An attacker who can send crafted SAML assertions to the firewall’s SAML service can trigger an unexpected device reload, effectively taking the firewall offline and disrupting network connectivity.

Affected Systems

This flaw affects Cisco Secure Firewall Adaptive Security Appliance and Cisco Secure Firewall Threat Defense software. The advisory does not list specific firmware or software releases that are vulnerable, so any deployment of these products with SAML 2.0 SSO enabled remains at risk until patched.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability, yet the EPSS score is less than 1 percent and the flaw is not yet listed in CISA’s KEV catalog, suggesting a low probability of exploitation at present. Nevertheless, the vulnerability can be leveraged remotely by an unauthenticated attacker who can reach the SAML endpoint, which is likely exposed on the firewall’s management interface. A successful attack results in a forced reload, creating a denial-of-service condition.

Generated by OpenCVE AI on April 16, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cisco ASA and FTD firmware to a version that includes the SAML processing fix.
  • If an upgrade is not immediately possible, disable the SAML 2.0 SSO feature or block access to the SAML service from untrusted networks.
  • Apply network segmentation or firewall rules to restrict inbound traffic to the SAML endpoint only to trusted administrative hosts.
  • Monitor device logs for repeated failed SAML authentication attempts and investigate possible abuse.

Generated by OpenCVE AI on April 16, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco firepower Threat Defense Software
CPEs cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*
cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
Vendors & Products Cisco firepower Threat Defense Software

Thu, 16 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Title Remote Device Reload via Crafted SAML Messages in Cisco ASA/FTD

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense
Vendors & Products Cisco
Cisco adaptive Security Appliance Software
Cisco secure Firewall Threat Defense

Wed, 04 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Cisco Adaptive Security Appliance Software Firepower Threat Defense Software Secure Firewall Threat Defense
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-05T15:33:58.629Z

Reserved: 2025-10-08T11:59:15.370Z

Link: CVE-2026-20101

cve-icon Vulnrichment

Updated: 2026-03-05T15:33:53.133Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T18:16:25.137

Modified: 2026-04-16T20:28:29.240

Link: CVE-2026-20101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:30:16Z

Weaknesses