OTPulse

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability

Monitor4.3cisco-sa-asaftd-desync-n5AVzEQwMar 4, 2026
CiscoEnergyManufacturing
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in the VPN web services component of Cisco Secure Firewall ASA and Threat Defense software allows an unauthenticated remote attacker to conduct browser-based attacks against users accessing VPN web portals. The vulnerability is caused by improper validation of HTTP requests in the web services component. An attacker can craft a malicious website that, when visited by an authenticated user, sends specially formed HTTP requests to the firewall. Because the requests are not properly validated, the firewall reflects the attacker's malicious input back to the user's browser, enabling cross-site scripting (XSS) and other browser-based attacks. The attacker cannot directly compromise the firewall itself, but can manipulate user sessions and capture sensitive information displayed in the browser.

What this means
What could happen
An attacker could conduct browser-based attacks (such as cross-site scripting) against users accessing VPN web services on your firewall. The firewall itself is not compromised, but user browsers could be manipulated or session data could be exposed.
Who's at risk
Energy and manufacturing organizations using Cisco Secure Firewall appliances for VPN access. This affects all Firepower series (1000, 2100, 4100, 9000), ASA 5500-X series, Secure Firewall (1200, 3100, 4200 series), Industrial Security Appliances (3000 series), virtual appliances (ASAv, FTD Virtual), and Threat Defense deployments that expose web services for VPN features.
How it could be exploited
An attacker creates a malicious website and tricks a user into visiting it while authenticated to your firewall's VPN web portal. The malicious page sends crafted HTTP requests to your firewall's web services endpoints, which are not properly validated. The firewall reflects the attacker's input back to the user's browser, allowing the attacker to inject malicious scripts that execute in the user's session.
Prerequisites
  • User must visit attacker-controlled website while authenticated to VPN web services
  • VPN web services endpoints must be enabled on the firewall
  • User must be using a web browser
remotely exploitablelow complexityuser interaction requiredaffects VPN authentication mechanisms
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
ASA 5500-X Series FirewallsAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Secure Firewall Threat Defense VirtualAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

Adaptive Security Virtual Appliance (ASAv)
HOTFIXUpdate Cisco Secure Firewall ASA, Threat Defense (FTD), or ASAv software to the patched version released in March 2026
View full vendor advisory
API: /api/v1/advisories/6c900e6b-6b9e-461f-99b2-d173de395464

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability | CVSS 4.3 - OTPulse