Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerabilities

Monitor6.5cisco-sa-ftd-cmd-inj-mTzGZexfMar 4, 2026

CiscoEnergyManufacturing

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple authenticated command injection vulnerabilities in the CLI feature of Cisco Secure Firewall ASA and Secure Firewall Threat Defense (FTD) software allow an authenticated, local attacker to execute commands with elevated privileges or cause the device to reload unexpectedly (denial of service). Affected products include Firepower 2100/1000/9000/4100 Series, ASA 5500-X Series, 3000 Series ISA, Secure Firewall Threat Defense Virtual, and Secure Firewall 3100/4200/1200 Series appliances.

What this means

What could happen

An attacker with local access and valid credentials could run elevated commands on your firewall, potentially modifying firewall rules, redirecting traffic, or causing the firewall to restart unexpectedly and block all network traffic until it recovers.

Who's at risk

Energy utilities, water authorities, and manufacturing facilities that rely on Cisco Secure Firewall appliances (ASA, FTD, Firepower Series) for perimeter security and network protection. This includes data center firewalls, branch firewalls, and industrial security appliances protecting SCADA or control system networks.

How it could be exploited

An attacker with a valid local user account on the firewall (e.g., admin or readonly credentials) accesses the device CLI and injects malicious commands into vulnerable CLI input fields. The firewall processes these commands with elevated privileges, allowing the attacker to execute arbitrary actions or cause a denial of service by reloading the device.

Prerequisites

Valid local user credentials (admin, readonly, or other CLI-capable account)
Local CLI access to the firewall (console, SSH, or local terminal)
Knowledge of vulnerable CLI input fields that accept command injection

No authentication required for some CLI functions (some vulnerable commands callable by low-privilege users)Low complexity attack (standard CLI input)Local access required but insider threat or compromised workstation manageableCould impact critical firewall availability

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (10)

10 with fix

ProductAffected VersionsFix Status

Firepower 2100 SeriesAll versionsFix available

Firepower 1000 SeriesAll versionsFix available

ASA 5500-X Series FirewallsAll versionsFix available

3000 Series Industrial Security Appliances (ISA)All versionsFix available

Firepower 9000 SeriesAll versionsFix available

Firepower 4100 SeriesAll versionsFix available

Secure Firewall Threat Defense VirtualAll versionsFix available

Secure Firewall 3100 SeriesAll versionsFix available

Remediation & Mitigation

0/5

Do now

0/2

3000 Series Industrial Security Appliances (ISA)

HARDENINGRestrict local CLI access to trusted administrators only; remove or disable any unnecessary local user accounts with CLI privileges

All products

HARDENINGMonitor and log all CLI access and commands executed on your firewall; review logs for suspicious activity or failed authentication attempts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXConsult Cisco advisory CISCO cisco-sa-ftd-cmd-inj-mTzGZexf and download the fixed firmware version for your specific firewall model and series

HOTFIXPlan and execute firmware updates during a maintenance window to avoid firewall downtime; test updates in a lab or non-production environment first

Long-term hardening

0/1

HARDENINGImplement strong password policies and multi-factor authentication (if supported) for all firewall admin accounts to reduce the risk of credential compromise

CVEs (4)

CVE-2026-20017 CVE-2026-20016 CVE-2026-20063 CVE-2026-20064

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/12dae3aa-4d5d-4434-a8c1-1d7be44757c5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.