OTPulse

Cisco Secure Firewall Threat Defense Software TLS with Snort 3 Detection Engine Denial of Service Vulnerability

Monitor5.8cisco-sa-ftd-tcp-dos-rHfqnwRgMar 4, 2026
CiscoEnergyManufacturingTransportation
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in the TLS implementation of Cisco Secure Firewall Threat Defense (FTD) Software's Snort 3 Detection Engine allows an unauthenticated remote attacker to send a crafted TLS packet that causes the Snort 3 engine to crash and restart. This results in a denial of service condition where the firewall drops or fails to inspect network traffic. TLS 1.3 is not affected. The vulnerability affects all Firepower and Secure Firewall appliance models.

What this means
What could happen
A crafted TLS packet could cause the Snort 3 detection engine to crash and restart, interrupting traffic inspection and allowing unfiltered traffic to pass through your firewall until the device recovers.
Who's at risk
Energy utilities, manufacturing plants, and transportation operators using Cisco Secure Firewall appliances (Firepower 1000/2100/3000/4100/9000 Series, Secure Firewall 1200/3100/4200 Series, or FTD Virtual) should review their firewall configurations. Any organization relying on these devices for threat detection and traffic filtering is at risk of traffic bypass during an attack.
How it could be exploited
An attacker sends a malformed TLS packet to your firewall from the Internet. The Snort 3 engine processes it incorrectly due to a TLS implementation flaw, crashes, and restarts. During restart, traffic passes through uninspected. The attacker can repeat this to create ongoing service disruptions.
Prerequisites
  • Network access to the firewall from an external or untrusted network
  • TLS 1.2 or earlier enabled on the firewall (TLS 1.3 is not affected)
Remotely exploitableNo authentication requiredLow complexity attackAffects network security controls
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
Firepower 2100 SeriesAll versionsFix available
Firepower 1000 SeriesAll versionsFix available
3000 Series Industrial Security Appliances (ISA)All versionsFix available
Firepower 9000 SeriesAll versionsFix available
Firepower 4100 SeriesAll versionsFix available
Secure Firewall Threat Defense VirtualAll versionsFix available
Secure Firewall 3100 SeriesAll versionsFix available
Secure Firewall 4200 SeriesAll versionsFix available
Remediation & Mitigation
0/2
Do now
0/1
WORKAROUNDConfigure SSL/decryption policies in Secure FMC to ensure all TLS version checkboxes are enabled in version filtering rules to prevent version negotiation mismatches
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco Secure FTD software to the patched version released by Cisco
View full vendor advisory
API: /api/v1/advisories/96f59431-f453-401f-93dd-a6cd81a03016

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Cisco Secure Firewall Threat Defense Software TLS with Snort 3 Detection Engine Denial of Service Vulnerability | CVSS 5.8 - OTPulse