OTPulse

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability

Monitor6cisco-sa-asaftd-luainject-VescqgmSMar 4, 2026
CiscoEnergyManufacturing
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

A Lua code injection vulnerability exists in Cisco Secure Firewall ASA and FTD software affecting a small subset of CLI commands. User-provided input is not properly sanitized before being processed as Lua code. An authenticated local attacker with administrator credentials could craft malicious Lua code as a CLI parameter and achieve arbitrary code execution as the root user on the firewall appliance. This affects Firepower series, ASA 5500-X series, 3000 Series ISA, ASAv, and Secure Firewall series appliances.

What this means
What could happen
An attacker with administrator credentials could inject malicious Lua code into a firewall CLI command and execute arbitrary commands as the root user, potentially gaining full control of the security appliance and the network it protects.
Who's at risk
Energy sector and manufacturing facilities that rely on Cisco Secure Firewall appliances (ASA, FTD, Firepower, and ISA series) for network security. This includes all Cisco firewall models deployed in critical infrastructure environments that process control traffic.
How it could be exploited
An attacker with valid administrator credentials authenticates to the firewall's CLI, crafts malicious Lua code as a parameter to a vulnerable CLI command, and submits it. The firewall fails to sanitize the input and executes the code with root privileges, giving the attacker full system control.
Prerequisites
  • Valid administrator credentials for the firewall
  • Local or remote access to the firewall CLI
  • Knowledge of vulnerable CLI commands that accept Lua code
Requires valid administrator credentialsLow complexity exploitAffects all major Cisco firewall product linesNo workarounds available
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
ASA 5500-X Series FirewallsAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Adaptive Security Virtual Appliance (ASAv)All versionsFix available
Firepower 1000 SeriesAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply vendor security patches to all affected Cisco Secure Firewall products to address the Lua code injection vulnerability
View full vendor advisory
API: /api/v1/advisories/74ffde7c-28a7-4985-80d1-42d9ed54efca

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability | CVSS 6 - OTPulse