OTPulse

Cisco Secure Firewall Threat Defense Software Snort 3 SSL Memory Management Denial of Service Vulnerability

Monitor5.8cisco-sa-ftd-snort3ssl-FBEKYXpHMar 4, 2026
CiscoEnergyManufacturing
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A logic error in Snort 3 SSL packet inspection on Cisco Secure Firewall Threat Defense Software can be exploited by sending crafted SSL packets through an established connection, causing the Snort 3 Detection Engine to unexpectedly restart. This creates a temporary denial of service condition during which threat inspection is unavailable. The vulnerability affects all versions of Secure Firewall 4200, 3100, 1200 Series, Firepower 2100, 1000, 9000, 4100 Series, Firepower Industrial Security Appliances (3000 Series), and Secure Firewall Threat Defense Virtual appliances.

What this means
What could happen
An attacker can send specially crafted SSL traffic through your firewall to crash the Snort detection engine, temporarily disabling threat inspection and potentially allowing malicious traffic to pass through unchecked.
Who's at risk
Organizations operating Cisco Secure Firewall appliances including the 4200, 3100, 1200, 2100, 1000, 9000, 4100 Series, Firepower industrial security appliances, or virtual deployments (FTDv) should assess their exposure, particularly in energy and manufacturing environments where firewall availability is critical to network defense.
How it could be exploited
An attacker sends crafted SSL packets through an established connection that traverses your Cisco firewall. The Snort 3 detection engine attempts to inspect the malformed SSL traffic, triggering a memory management error that causes the detection engine to restart. During the restart window, threat inspection is unavailable.
Prerequisites
  • Network path to your Cisco Secure Firewall must allow SSL traffic
  • Snort 3 SSL inspection must be enabled on the firewall
  • Attacker must have ability to send traffic through an established connection
remotely exploitableno authentication requiredlow complexityaffects network security controls
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
Secure Firewall 4200 SeriesAll versionsFix available
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Secure Firewall Threat Defense VirtualAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Remediation & Mitigation
0/3
Do now
0/2
3000 Series Industrial Security Appliances (ISA)
WORKAROUNDDisable SSL inspection in Snort 3 if not required for your security policy
All products
HARDENINGRestrict inbound SSL traffic at network boundary to only trusted sources and required ports
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Secure Firewall Threat Defense Software to the patched version provided by Cisco for your specific hardware model
View full vendor advisory
API: /api/v1/advisories/c4706fe2-bde7-4064-af5c-2a6d65a40369

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.