Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control List Bypass Vulnerability

Monitor5.8cisco-sa-asaftd-aclbypass-dos-CVxVRSvQMar 4, 2026

CiscoEnergyManufacturingTransportation

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Cisco Secure Firewall ASA and FTD software allows an unauthenticated remote attacker to bypass access control lists (ACLs) and send traffic through the firewall that should be denied. The flaw occurs due to improper error handling during cluster join operations when the device runs low on memory while replicating ACL rules. An attacker could exploit this by sending traffic to protected networks that the firewall should block, potentially reaching control systems, RTUs, PLCs, historian databases, or engineering workstations behind the firewall. Cisco has released software updates that address this vulnerability. There are no workarounds available.

What this means

What could happen

An attacker could send network traffic through your firewall that should be blocked, allowing them to reach systems behind the firewall they were not supposed to access. This could expose sensitive control systems or operator workstations to compromise.

Who's at risk

This affects all organizations running Cisco Secure Firewall devices (ASA, FTD, Firepower, or ISA appliances). Energy, manufacturing, and transportation sectors are specifically called out. Any facility using these firewalls to protect control networks, SCADA systems, RTUs, or engineering workstations should prioritize patching.

How it could be exploited

An attacker on the network sends traffic destined for protected devices behind your firewall. During a cluster join operation when the firewall runs low on memory, ACL replication fails silently, causing the firewall to stop blocking that traffic. The attacker's traffic passes through to reach internal systems.

Prerequisites

Network access to the firewall from the internet or untrusted network
Target firewall must be actively joining a cluster
Device must experience memory pressure during ACL replication

remotely exploitableno authentication requiredlow complexityaccess control bypassaffects perimeter security for OT networks

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

Firepower 2100 SeriesAll versionsFix available

ASA 5500-X Series FirewallsAll versionsFix available

3000 Series Industrial Security Appliances (ISA)All versionsFix available

Firepower 9000 SeriesAll versionsFix available

Firepower 4100 SeriesAll versionsFix available

Adaptive Security Virtual Appliance (ASAv)All versionsFix available

Firepower 1000 SeriesAll versionsFix available

Secure Firewall 3100 SeriesAll versionsFix available

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to your firewall management interfaces and cluster communication ports to known trusted networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor security update to your Cisco Secure Firewall (ASA or FTD) software immediately upon availability

Long-term hardening

0/1

HARDENINGDuring cluster operations, monitor memory usage on joining appliances and postpone cluster joins if memory available is below normal operating thresholds

CVEs (1)

CVE-2026-20073

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/82850c02-28bb-4ce0-8528-58e745d8c8e5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.