OTPulse

Cisco Secure Firewall Threat Defense Software Snort Deep Inspection Bypass Vulnerability

Monitor5.8cisco-sa-ftd-snort-bypass-rLggKzVFMar 4, 2026
CiscoEnergyManufacturingTransportation
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in the Snort 2 and Snort 3 deep packet inspection engine of Cisco Secure Firewall Threat Defense (FTD) Software allows an unauthenticated, remote attacker to bypass configured Snort intrusion detection rules. A logic error in rule integration causes different Snort rules to be applied when inspecting inner and outer packet connections. An attacker can send crafted traffic that bypasses rule enforcement, allowing denial of service or data exfiltration traffic to reach the network when it should have been blocked. Affects Firepower 2100, 1000, 4100, 9000 Series; ASA 5500-X; 3000 Series Industrial Security Appliances; Secure Firewall Threat Defense Virtual, 3100, 4200, and 1200 Series.

What this means
What could happen
An attacker can craft malicious network traffic that bypasses your Snort firewall rules, allowing unauthorized access, data exfiltration, or malware into your network that your firewall should have blocked. This could lead to breaches of critical operational networks in energy and manufacturing environments.
Who's at risk
Organizations operating energy, manufacturing, and transportation networks that rely on Cisco Secure Firewall platforms (Firepower series, ASA 5500-X, Secure Firewall 3100/4200/1200 Series, or Industrial Security Appliances 3000 Series) for intrusion detection and network access control. This impacts any facility using these firewalls as a primary security control between trusted operational networks and untrusted external networks.
How it could be exploited
An attacker sends specially crafted packets over the network to your Cisco firewall. The packets are designed to trigger different Snort rules when the outer and inner layers are inspected separately, causing the firewall to miss the violation and allow the traffic through. No authentication is required.
Prerequisites
  • Network-accessible Cisco Secure Firewall Threat Defense device
  • Snort deep packet inspection enabled on the firewall
  • No authentication required
remotely exploitableno authentication requiredlow complexitybypasses intrusion detection rulesaffects critical infrastructure sectors
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (10)
10 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
ASA 5500-X Series FirewallsAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Secure Firewall Threat Defense VirtualAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

Firepower 2100 Series
HOTFIXUpdate Firepower 2100 Series to the patched version released by Cisco
Firepower 1000 Series
HOTFIXUpdate Firepower 1000 Series to the patched version released by Cisco
ASA 5500-X Series Firewalls
HOTFIXUpdate ASA 5500-X Series Firewalls to the patched version released by Cisco
All products
HOTFIXUpdate 3000 Series Industrial Security Appliances to the patched version released by Cisco
HOTFIXUpdate Firepower 9000, 4100 Series, and Secure Firewall 3100, 4200, 1200 Series, and Threat Defense Virtual to the patched versions released by Cisco
HARDENINGReview and test Snort rule configurations after patching to verify intrusion detection rules are functioning as expected
View full vendor advisory
API: /api/v1/advisories/3841f8a1-35b7-43d4-9712-85e13b0f55df

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.