OTPulse

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability

Monitor6.1cisco-sa-asaftd-saml-LktTrwZPMar 4, 2026
CiscoEnergyManufacturing
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A reflected cross-site scripting vulnerability exists in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software. The vulnerability is due to insufficient input validation of multiple HTTP parameters in the SAML feature. An attacker could exploit this by persuading a user to click a malicious link, allowing the attacker to conduct a reflected XSS attack and potentially steal sensitive browser-based information such as session tokens or credentials. Cisco has released software updates that address this vulnerability.

What this means
What could happen
An attacker could trick an administrator or user into clicking a malicious link to conduct a cross-site scripting attack through the firewall's SAML SSO interface, potentially stealing session cookies, credentials, or other sensitive browser-based information.
Who's at risk
Organizations operating Cisco Secure Firewall appliances (ASA, FTD, and ISA models) in energy and manufacturing sectors that use SAML-based SSO for firewall administration should care about this vulnerability. This affects firewall models from the 1000, 2100, 3000 (ISA), 4100, 4200, 9000 series, as well as virtual appliances (ASAv, FTD Virtual), and 1200 and 3100 series Secure Firewall devices.
How it could be exploited
An attacker crafts a malicious link containing injected code targeting the SAML SSO feature's HTTP parameters. The attacker sends this link (via email, chat, or social engineering) to a user with access to the firewall's web interface. When the user clicks the link, the code executes in their browser in the context of the firewall's management interface, allowing the attacker to steal session tokens or other sensitive data.
Prerequisites
  • User must access the firewall's SAML SSO login interface
  • User must click on an attacker-controlled malicious link
  • SAML SSO feature must be enabled on the firewall
remotely exploitableno authentication requiredlow complexityaffects firewall management access
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
ASA 5500-X Series FirewallsAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Adaptive Security Virtual Appliance (ASAv)All versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Remediation & Mitigation
0/9
Schedule — requires maintenance window
0/9

Patching may require device reboot — plan for process interruption

Firepower 2100 Series
HOTFIXUpdate Firepower 2100 Series to patched software version
Firepower 1000 Series
HOTFIXUpdate Firepower 1000 Series to patched software version
ASA 5500-X Series Firewalls
HOTFIXUpdate ASA 5500-X Series Firewalls to patched software version
Firepower 9000 Series
HOTFIXUpdate Firepower 9000 Series to patched software version
Firepower 4100 Series
HOTFIXUpdate Firepower 4100 Series to patched software version
Adaptive Security Virtual Appliance (ASAv)
HOTFIXUpdate ASAv to patched software version
Secure Firewall Threat Defense Virtual
HOTFIXUpdate Secure Firewall Threat Defense Virtual to patched software version
All products
HOTFIXUpdate Secure Firewall 3100, 4200, and 1200 Series to patched software versions
HOTFIXUpdate 3000 Series Industrial Security Appliances to patched software version
View full vendor advisory
API: /api/v1/advisories/a11491ac-f8d1-4a42-bb6d-aabe7bd26c15

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.