Cisco Secure Firewall Threat Defense Software SSL Decryption Policy Denial of Service Vulnerability
Monitor6.8cisco-sa-ftd-dnd-dos-bpEcg7B7Mar 4, 2026
CiscoEnergyManufacturingTransportation
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in Cisco Secure Firewall Threat Defense (FTD) SSL decryption feature with Do Not Decrypt exclusion allows an unauthenticated remote attacker to cause a device reload. The vulnerability is triggered by improper memory management when the firewall inspects crafted TLS 1.2 encrypted traffic. Only TLS 1.2 traffic is affected; other TLS versions are not vulnerable. A successful attack causes the firewall to crash and reboot, interrupting security policy enforcement and traffic inspection. Cisco has released software updates to address this issue; no workarounds are available.
What this means
What could happen
An attacker can send specially crafted TLS 1.2 traffic through your firewall to cause it to crash and reboot, interrupting all traffic inspection and potentially allowing malicious traffic to bypass security controls while the device recovers.
Who's at risk
Energy utilities, manufacturing plants, and transportation operators who rely on Cisco Secure Firewall Threat Defense appliances (including Firepower 1000/2100/4100/9000 series, 3000 Series Industrial Security Appliances, and Secure Firewall 1200/3100/4200 series or virtual deployments) for network perimeter security and encrypted traffic inspection.
How it could be exploited
An attacker on the network sends crafted TLS 1.2 encrypted traffic toward your Secure Firewall Threat Defense device. The firewall's SSL decryption feature processes the malformed traffic, triggering a memory issue that causes the device to reload, dropping all active connections and security policies until it recovers.
Prerequisites
- Network path to the firewall's external interface
- Ability to send TLS 1.2 traffic toward the firewall
remotely exploitableno authentication requiredaffects perimeter security devicecauses denial of service
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Secure Firewall Threat Defense VirtualAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Secure Firewall 4200 SeriesAll versionsFix available
Remediation & Mitigation
0/9
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
Firepower 2100 Series
HOTFIXUpdate Firepower 2100 Series to patched version released by Cisco in March 2026 or later
Firepower 1000 Series
HOTFIXUpdate Firepower 1000 Series to patched version released by Cisco in March 2026 or later
Firepower 9000 Series
HOTFIXUpdate Firepower 9000 Series to patched version released by Cisco in March 2026 or later
Firepower 4100 Series
HOTFIXUpdate Firepower 4100 Series to patched version released by Cisco in March 2026 or later
Secure Firewall Threat Defense Virtual
HOTFIXUpdate Secure Firewall Threat Defense Virtual to patched version released by Cisco in March 2026 or later
Secure Firewall 3100 Series
HOTFIXUpdate Secure Firewall 3100 Series to patched version released by Cisco in March 2026 or later
Secure Firewall 4200 Series
HOTFIXUpdate Secure Firewall 4200 Series to patched version released by Cisco in March 2026 or later
Secure Firewall 1200 Series
HOTFIXUpdate Secure Firewall 1200 Series to patched version released by Cisco in March 2026 or later
All products
HOTFIXUpdate 3000 Series Industrial Security Appliances to patched version released by Cisco in March 2026 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f16c57ef-7a78-479b-80ee-65e510295f52Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.