Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability

Monitor6.1cisco-sa-asaftd-webvpn-xss-uwjc4HRMar 4, 2026

CiscoEnergyManufacturing

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A cross-site scripting (XSS) vulnerability in the VPN web services component of Cisco Secure Firewall ASA and FTD software allows an unauthenticated remote attacker to conduct an XSS attack against users accessing the affected device's web portal. The vulnerability stems from improper validation of user-supplied input in HTTP requests. An attacker could exploit this by persuading a user to follow a malicious link designed to submit malicious input to the VPN web application, potentially allowing execution of arbitrary HTML or script code in the browser within the VPN web server context. This affects all versions of Firepower 2100, 4100, 9000 Series, ASA 5500-X Series, Firepower 1000 Series, 3000 Series ISA, ASAv, Secure Firewall 1200, 3100, 4200 Series, and Secure Firewall Threat Defense Virtual appliances.

What this means

What could happen

An attacker could use a malicious link to run scripts in a browser accessing your firewall's VPN web portal, potentially stealing session cookies, administrative credentials, or other sensitive data displayed in the admin interface.

Who's at risk

Organizations operating Cisco Secure Firewall appliances (ASA, FTD, or ISA devices in energy and manufacturing sectors) should prioritize patching, as these firewalls protect critical network boundaries. The vulnerability affects the VPN web portal that users and administrators access remotely.

How it could be exploited

An attacker crafts a malicious link containing XSS payload and tricks a user (administrator or employee) into clicking it while logged into the VPN web portal. When the user's browser visits the link, the malicious script executes in the context of the firewall's web server, allowing the attacker to steal credentials or session tokens.

Prerequisites

User must be accessing the VPN web portal in a browser
User must click a malicious link provided by the attacker
VPN web services must be enabled and reachable

remotely exploitablelow complexityno authentication required for exploit deliveryaffects multiple appliance series in critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

Firepower 2100 SeriesAll versionsFix available

ASA 5500-X Series FirewallsAll versionsFix available

3000 Series Industrial Security Appliances (ISA)All versionsFix available

Firepower 9000 SeriesAll versionsFix available

Firepower 4100 SeriesAll versionsFix available

Adaptive Security Virtual Appliance (ASAv)All versionsFix available

Firepower 1000 SeriesAll versionsFix available

Secure Firewall 3100 SeriesAll versionsFix available

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict access to the VPN web portal (ports 443, 8443) to trusted IP ranges or require VPN connection before accessing management interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco Secure Firewall ASA and FTD software to the patched version released for your device model

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate firewall management access from untrusted networks

CVEs (1)

CVE-2026-20070

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0a0d7ec8-cc26-40a2-bf05-970faffc1de4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.