Skip to main content
Mallory

Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager

actively-exploited-vulnerabilitywidely-deployed-product-advisoryperimeter-device-exposureembedded-device-vulnerability
Updated March 21, 2026 at 02:12 PM2 sources
Share:
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Belgium’s CCB (Safeonweb) warned of multiple critical vulnerabilities across several Cisco products—specifically calling out Cisco Secure Firewall (including Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD)) and Cisco Catalyst SD-WAN Manager—and stated that some vulnerabilities are being actively exploited, urging immediate patching. The advisory lists a broad set of weakness classes including authentication bypass (CWE-288/CWE-287), deserialization of untrusted data (CWE-502), buffer overflow (CWE-120), SQL injection (CWE-89), and sensitive information exposure (CWE-200), and highlights multiple CVEs including CVE-2026-20079 and CVE-2026-20131 with CVSS 10.0.

A separate advisory from the Center for Internet Security (CIS) also reported multiple vulnerabilities in Cisco products that could enable remote code execution, enumerating a large set of related CVEs (including CVE-2026-20001, CVE-2026-20002, CVE-2026-20003, and CVE-2026-20039). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.

Timeline

  1. Mar 5, 2026

    Authorities and security organizations warn that some Cisco flaws are actively exploited

    On the same day, Belgium's CCB Safeonweb warned about multiple critical Cisco vulnerabilities and urged immediate patching, noting that some were being actively exploited. CIS also issued an advisory aggregating the affected CVEs and Cisco security notices for defenders.

  2. Mar 5, 2026

    Cisco discloses multiple critical vulnerabilities across several products

    Cisco published a set of security advisories covering multiple vulnerabilities in products including Cisco Secure Firewall and Cisco Catalyst SD-WAN Manager. The advisories referenced issues such as remote code execution, authentication bypass, SQL injection, command injection, directory traversal, cross-site scripting, and denial-of-service flaws.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

DoS via crafted SAML messages in Cisco Secure Firewall ASA/FTD SAML SSO (CVE-2026-20101)Authenticated SQL injection in Cisco Secure Firewall Management Center (FMC) REST API (CVE-2026-20001)Authenticated SQL injection in Cisco Secure FMC web-based management interface (CVE-2026-20002)Authentication Bypass to Root RCE in Cisco Secure Firewall Management Center (CVE-2026-20079)Unauthenticated Remote DoS via memory exhaustion in Cisco ASA/FTD Remote Access SSL VPN (CVE-2026-20106)DoS via memory exhaustion in Cisco Secure Firewall ASA/FTD Remote Access SSL VPN (CVE-2026-20103)Cisco Secure Firewall ASA and FTD Remote Access SSL VPN Authenticated Memory Exhaustion DoS (CVE-2026-20105)Authenticated SQL injection in Cisco Secure FMC REST API (CVE-2026-20003)DoS in Cisco Secure Firewall ASA embryonic connection limit handling (TCP SYN flood) (CVE-2026-20082)Cisco Secure Firewall ASA/FTD VPN Web Server Denial of Service Vulnerability (CVE-2026-20039)Unauthenticated RCE in Cisco Secure Firewall Management Center Web Interface (CVE-2026-20131)DoS via crafted HTTP to Remote Access SSL VPN Lua interpreter in Cisco ASA/FTD (CVE-2026-20100)DoS in Snort 3 Detection Engine via crafted VBA decompression data (CVE-2026-20057)DoS via crafted RPC parsing in Snort 3 detection engine (Cisco products) (CVE-2026-20068)DoS via IKEv2 packet parsing memory leak in Cisco Secure Firewall ASA/FTD (CVE-2026-20015)DoS via crafted OSPF LSU packets in Cisco Secure Firewall ASA/FTD (heap corruption) (CVE-2026-20025)DoS via OSPF LSU out-of-bounds write in Cisco Secure Firewall ASA/FTD (OSPF canonicalization debug) (CVE-2026-20022)DoS via Snort 3 Detection Engine binder module initialization logic (Cisco products) (CVE-2026-20065)DoS in Snort 3 VBA decompression error handling (infinite loop) (CVE-2026-20054)Cisco Secure Firewall ASA/FTD IKEv2 Memory Exhaustion DoS (CVE-2026-20013)DoS via heap overflow in Snort 3 VBA decompression (Cisco products) (CVE-2026-20053)DoS in Cisco Snort 3 Detection Engine via crafted HTTP mDNS header parsing (CVE-2026-20067)Authenticated CLI command injection in Cisco Secure FTD (root OS command execution) (CVE-2026-20063)Authenticated CLI input validation DoS in Cisco Secure Firewall Threat Defense (FTD) (CVE-2026-20064)Cisco Secure Firewall ASA and Secure FTD IKEv2 Denial of Service Vulnerability (CVE-2026-20014)DoS in Cisco Snort 3 Detection Engine via crafted SSL handshake parsing (CVE-2026-20005)DoS in Snort 3 Detection Engine via JSTokenizer HTTP JavaScript normalization (CVE-2026-20066)Authenticated CLI command injection in Cisco Secure FTD Software (root OS command execution) (CVE-2026-20017)OSPF heap corruption DoS in Cisco Secure Firewall ASA/FTD (CVE-2026-20024)Authenticated command injection in Cisco FXOS CLI for Cisco Secure Firewall ASA/FTD (CVE-2026-20016)Authenticated command injection in Cisco Secure Firewall Management Center (FMC) lockdown remediation modules (CVE-2026-20044)DoS in Cisco Snort 3 VBA decompression error handling (CVE-2026-20058)XSS in Cisco Secure Firewall ASA/FTD VPN web services (CVE-2026-20070)ACL bypass in Cisco Secure Firewall ASA/FTD clustering rule replication (CVE-2026-20073)Snort deep packet inspection rule bypass in Cisco Secure Firewall Threat Defense (FTD) (CVE-2026-20007)DoS in Cisco ASA/FTD IPsec IKEv2 GCM traffic processing (insufficient memory allocation) (CVE-2026-20049)DoS via crafted TLS packet in Snort 3 Detection Engine (Cisco Secure Firewall FTD) (CVE-2026-20006)DoS via Snort 3 SSL packet inspection memory management logic error in Cisco Secure Firewall FTD (CVE-2026-20052)DoS in Cisco Secure Firewall FTD SSL Decryption Do Not Decrypt exclusion (TLS 1.2) (CVE-2026-20050)SSH key-based authentication bypass in Cisco Secure Firewall ASA proprietary SSH stack (CVE-2026-20009)Client-side request smuggling in Cisco Secure Firewall ASA/FTD VPN web services (CVE-2026-20069)Reflected XSS in Cisco Secure Firewall ASA/FTD SAML 2.0 SSO (CVE-2026-20102)Cisco Catalyst SD-WAN Manager API Arbitrary File Overwrite Privilege Escalation (CVE-2026-20122)Cisco Catalyst SD-WAN Manager REST API Privilege Escalation (CVE-2026-20126)Cisco Catalyst SD-WAN Manager API Authentication Bypass (CVE-2026-20129)Cisco Catalyst SD-WAN Manager DCA Credential Disclosure / Recoverable Password Storage (CVE-2026-20128)Cisco Catalyst SD-WAN Manager Sensitive Information Disclosure via API (CVE-2026-20133)Arbitrary file write as root via path traversal in Cisco Secure Firewall FMC/FTD sftunnel file synchronization (CVE-2026-20018)

Organizations

Cisco SystemsHelp Net Security

Sources

belgium ccb security advisories
Warning: Multiple critical vulnerabilities in several Cisco products, including Cisco Secure Firewall and Cisco Catalyst SD-WAN Manager. Some are being actively exploited, Patch Immediately! | CCB Safeonweb
March 5, 2026 at 12:00 AM
cisecurity advisories
Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution
March 5, 2026 at 12:00 AM

Related Stories

Cisco Patches Critical Firewall Management RCE Vulnerabilities

Cisco Patches Critical Firewall Management RCE Vulnerabilities

Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).

1 months ago
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN

Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN

Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.

1 months ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616

Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616

**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.